[Cryptech Tech] Seeking comments on a proposal for changes to the Cryptech RNG design.

[Benny Baumann]

Hi,

If there already is a useable core for SHA-3 which fulfills the performance  requirements and takes equal or less space I see this (SHA3-512) as a viable option to consider. Otherwise preference goes with Blake2s.

The design of SHA-3 with its kinda large state should help to keep enough entropy in the seed stream even if subsequent seeds were generated without having new data from our entropy sources mixed in.

IMHO (as a layman) we shouldn't reduce the internal state of the mixer for seed generation below 256 bit to keep a reasonable security margin should the entropy sources fail in mid-operation and leave the entropy pool in a state where no new entropy enters between many subsequently generated seeds for the DRBG.

OT: Has an entropy source like WhirlyGig[1] or some FPGA port of it[2] been considered as an additional entropy source? Having experimented with that code on some Papillio Pro board a while ago I found the general design to provide good results with dieharder when sending samples at 2Mbps. The bit stream could easily be scaled to provide 1Gbps; although I didn't try this due to lack of means to transfer data fast enough (The WhirlyGig core runs easily at 100MHz on the Papillio Pro).

So far for my 2ct as a (more or less) layman with theoretical crypto design; thus take thing mostly as my gutt feelings and with enough salt&pepper.

Kind regards,
Benny "BenBE" Baumann

[1] https://warmcat.com/hardware%20design/linux%20peripherals/2007/11/24/whirlygig-gpld-hwrng.html
[2] https://github.com/zdavkeos/whirlyfly

Am 23. März 2018 12:41:59 MEZ schrieb "Joachim Strömbergson" <joachim.strombergson at assured.se>:
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA256
>
>Aloha!
>
>Manuel Domke wrote:
>> I see there is a need to make it smaller/faster but I don't think its
>> a good option to "downgrade" to SHA-256. From the (long-term)
>> security perspective I'd prefer using SHA-3 (Keccak-1600) instead of
>> SHA-2, like its done in my favorite entropy source - the Infinite
>> Noise TRNG - but whitening is fully implemented in software.
>> 
>> Maybe Blake2s is a good option to go for now? Especially when you
>> have an (partial) implementation. Its also been an SHA-3 finalist
>> just like the winner Keccak-1600.
>
>Cryptech has a SHA-3 core and could be used here.
>
>https://trac.cryptech.is/wiki/GitRepositories/core/hash/sha3
>
>The interface is a bit different, but could be adapted. Thanks for the
>suggestions and feedback.
>
>- -- 
>Med vänlig hälsning, Yours
>
>Joachim Strömbergson - Assured AB
>========================================================================
>
>-----BEGIN PGP SIGNATURE-----
>Comment: GPGTools - http://gpgtools.org
>Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
>iQIcBAEBCAAGBQJatOgHAAoJEF3cfFQkIuyNzMAQAINFQXRCm28JacZ2OocqQvlV
>D8/csS3alIcxzFbzzBW1Mj+11W6VMi9ucvgXmPlEKl2dHwDz6x2dO6XjfYISpQJO
>hIzPkqMMRursY5a6NENouIPNliNhDZH24K7rzU82ClrEs/H1T8WUBdDIfQ0oar1+
>n/jUk38q2PmqfsN9Pp56zhqKxTEp19Yv07pWMeOzyFFt2Oel155N8A+bHde2hQkC
>Yn80VgkRbi1COadlPMrG7BHRcXJPsEplsqDkv4P77qOarfQ19gIN3MBUwjCk8i1y
>XCjN5QItHHvvoWiWJYvh8JNZNolwOPaAs70+mOA3vTcEjdweAnkM2RNBWByOpUbS
>Bb+VpBQd0TFxzQcPRKR5P1GxYoPpaHfaRBc6aMH7w6zZ/Z3/L5y7bLadI1di89uT
>ilf3qXK7xpJQXg5FEAFx1xOBT1m9bXvSG2E/gCu39y7g1MJAzSSlPKBimjjs4sEu
>04SoP8dxTeJEPpCrK8ZCY7HsIsh2+9cmQD9m5jxNVX1jOfGcxbBfCsr0pOqewVoq
>eeSeMnYqV5ygryrAb4WzK2WyQPhOatQW2EqGbANdkjOq4eDVFCFg27Kwu62DZunD
>NSY9AyolwlYB6hL5tn0S2cs6wkwTu0dHuMJ62pfvkcEFGIrayH93dUZmG2vXErn9
>v2GqGc0OZjASVn40Td7N
>=ef2k
>-----END PGP SIGNATURE-----
>_______________________________________________
>Tech mailing list
>Tech at cryptech.is
>https://lists.cryptech.is/listinfo/tech