Thor Lancelot Simon <[EMAIL PROTECTED]> writes: >Do you actually know of publically available documentation on the design and >implementation of *any* of these "noise based" RNGs? I have spent some time >looking, and I do not.
Someone from HiFn discussed an older HiFn design based on ring oscillators with postprocessing at the NIST RNG workshop in 2004, http://csrc.nist.gov/CryptoToolkit/RNG.html. Newer designs are apparently more sophisticated than this, but the details aren't easily available. I feel reasonably confident in their design, they know what they're doing. >Broadcom makes no RNG documentation, much less analysis, publically >available. Broadcom makes no documentation of any kind available. Nothing to see here, move along. >I have not had time to investigate the situation vis-a-vis VIA. I am told >it's somewhat better, but I was told the Broadcom stuff was trustworthy, too, >and then I found out that the person who said so did not really have >documentation either! Via's stuff is currently the best-documented and best-analysed, and you know what you're getting in the CPUs (you can read all the status info out of MSRs). >If you're using their RNG without NDA documentation that may or may not even >exist, it's on a "trust us...really!" basis. Unfortunately the security techies are very much in the minority here, for 99.99% of customers "trust us, really" is fine. For the vendors it's just too much work to prepare and clear technical documentation for release when only a handful of guys in an ivory tower somewhere will ever read it. I've seen documentation for one crypto device where it was obvious that it was an internal doc that had been hastily cleaned up for publication because someone somewhere had demanded it (some bits of the document had been passed over in the clearing process, their lawyers would have had a fit). Asking for these sorts of docs reminds me of the situation with the kernel hackers who bug vendors for hardware technical data ("why on earth do you want this information, we provide you with the drivers don't we?"), but with an even harder case to make to the crypto hardware vendors. >These all add up to "vendors are doing things with their 'noise-based' RNGs >that should *really* scare you". That's why I'd never trust a single source of entropy for anything, but mix as many sources as possible into a PRNG (safety through redundancy). If you look at the Skipjack RNG, the NSA seem to do the same thing, there are multiple sources and even if one fails completely it won't destroy the usefulness of the generator as a whole. Peter. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]