tech-crypto archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Lightweight support for instruction RNGs



The point is to see if RDRAND plus other inputs does not regress to
produce an output that is, in some way, "predictable". And while
running dieharder does not guarantee this, it may show up something
unusual. Given that there's previous history in this area, I'd
consider it a prudent thing to do.

As to how it's hooked up - either present dieharder with a file of
random bytes which you've generated using your new rng (via the -f
filename parameter), or use one of the generators - you run it with -g
-1 to produce a list of possible generators:

> dieharder -g -1
#=============================================================================#
#            dieharder version 3.31.1 Copyright 2003 Robert G. Brown          #
#=============================================================================#
#    Id Test Name           | Id Test Name           | Id Test Name           #
#=============================================================================#
|   000 borosh13            |001 cmrg                |002 coveyou             |
|   003 fishman18           |004 fishman20           |005 fishman2x           |
|   006 gfsr4               |007 knuthran            |008 knuthran2           |
|   009 knuthran2002        |010 lecuyer21           |011 minstd              |
|   012 mrg                 |013 mt19937             |014 mt19937_1999        |
|   015 mt19937_1998        |016 r250                |017 ran0                |
|   018 ran1                |019 ran2                |020 ran3                |
|   021 rand                |022 rand48              |023 random128-bsd       |
|   024 random128-glibc2    |025 random128-libc5     |026 random256-bsd       |
|   027 random256-glibc2    |028 random256-libc5     |029 random32-bsd        |
|   030 random32-glibc2     |031 random32-libc5      |032 random64-bsd        |
|   033 random64-glibc2     |034 random64-libc5      |035 random8-bsd         |
|   036 random8-glibc2      |037 random8-libc5       |038 random-bsd          |
|   039 random-glibc2       |040 random-libc5        |041 randu               |
|   042 ranf                |043 ranlux              |044 ranlux389           |
|   045 ranlxd1             |046 ranlxd2             |047 ranlxs0             |
|   048 ranlxs1             |049 ranlxs2             |050 ranmar              |
|   051 slatec              |052 taus                |053 taus2               |
|   054 taus113             |055 transputer          |056 tt800               |
|   057 uni                 |058 uni32               |059 vax                 |
|   060 waterman14          |061 zuf                 |                        |
#=============================================================================#
|   200 stdin_input_raw     |201 file_input_raw      |202 file_input          |
|   203 ca                  |204 uvag                |205 AES_OFB             |
|   206 Threefish_OFB       |207 XOR (supergenerator)|208 kiss                |
|   209 superkiss           |                        |                        |
#=============================================================================#
|   400 R_wichmann_hill     |401 R_marsaglia_multic. |402 R_super_duper       |
|   403 R_mersenne_twister  |404 R_knuth_taocp       |405 R_knuth_taocp2      |
#=============================================================================#
|   500 /dev/random         |501 /dev/urandom        |                        |
#=============================================================================#
#=============================================================================#

Best,
Alistair

On 19 December 2015 at 16:46, Thor Lancelot Simon <tls%panix.com@localhost> wrote:
> On Sat, Dec 19, 2015 at 04:42:54PM -0800, Alistair Crooks wrote:
>> Have you tried running this with pkgsrc/math/dieharder? I'd be
>> interested to see the results (the current version in pkgsrc -- 3.31.1
>> -- is much better than the previous one, and displays its results in a
>> much more useful way than previously). Not the be-all and end-all, but
>> still worthwhile running it.
>
> I have to ask, how would you hook it up and what exactly would be the
> point?  If you want to run RDRAND output through dieharder, you don't
> need to use the kernel for that -- the instruction is not a privileged
> instruction.
>
> And suppose you had a nasty tainted CPU where RDRAND actually just
> fed you the output of AES-256 with a key known to the adversary.  That
> output will pass statistical tests just fine -- all of them -- since
> if the output of the cipher is distinguishable from truly random data
> without knowledge of the key, that's a pretty good indicator there's
> a problem with the cipher...
>
> Thor
>


Home | Main Index | Thread Index | Old Index