tech-crypto archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

`harmless extra entropy' [was Re: Lightweight support for instruction RNGs]



[Trimming unrelated lists for digression.]

   Date: Mon, 21 Dec 2015 02:14:32 +0000
   From: <Paul_Koning%Dell.com@localhost>

   I'm puzzled by some of the comments.  There is never any downside,
   security wise, to stirring more entropy into the RNG.  If the
   entropy source data does not have good properties, then there is no
   benefit, but it can't ever hurt.  For example, stirring 1000 zero
   bytes in is pointless, but also harmless (ignoring the computation
   used to do the stirring).

Not quite so.  See <http://blog.cr.yp.to/20140205-entropy.html> for an
attack that exploits `harmless extra entropy'.  All zeros probably is
harmless, sure -- but one might reasonably choose to disable RDRAND
altogether and rummage in one's trouser pocket for a coin to flip
instead.

One might wonder about the motivation for Linux's original
architecture for RDRAND, which was to xor it directly into the output
of /dev/urandom rather than treat it as a separate entropy source.
Thor isn't doing that, but I'm generally suspicious of treating it
differently from other entropy sources and preventing the operator
from disabling it.


Home | Main Index | Thread Index | Old Index