On Sun, Sep 8, 2013 at 10:18 PM, Greg Rose <g...@seer-grog.net> wrote: > ... > I actually hate to point this out, but having access to something that "looks > like" a raw entropy source proves nothing. Given a design for a hardware RNG, > with a characterization of its biases, I could straightforwardly take a > stream generated by AES in counter mode with a 32-bit counter and do a kind > of reverse distillation to make it look like the output from such a hardware > RNG. Then, if the adversary knows what software is used to distill the > entropy (and the AES key), the game is still over.
two things, 1) i suspect a system to introduce realistically viable biases expected with a particular TRNG design is more complicated than you assume (especially when performing long running analysis over a large corpus, not trivial / short checks like FIPS.) it would certainly be much larger on die, but perhaps that is beside the point. 2) this underscores the need to combine multiple entropy sources, and not put all your all trust in one built in instruction. the gist of you argument is correct, however, the microcode itself is a block box, just as suspect as other instructions, given enough resources and privileged access. _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography