Re: `harmless extra entropy' [was Re: Lightweight support for instruction RNGs]

[<Paul_Koning%Dell.com@localhost>]

> On Dec 21, 2015, at 12:37 AM, Taylor R Campbell <campbell+netbsd-tech-crypto%mumble.net@localhost> wrote:
> 
> [Trimming unrelated lists for digression.]
> 
>   Date: Mon, 21 Dec 2015 02:14:32 +0000
>   From: <Paul_Koning%Dell.com@localhost>
> 
>   I'm puzzled by some of the comments.  There is never any downside,
>   security wise, to stirring more entropy into the RNG.  If the
>   entropy source data does not have good properties, then there is no
>   benefit, but it can't ever hurt.  For example, stirring 1000 zero
>   bytes in is pointless, but also harmless (ignoring the computation
>   used to do the stirring).
> 
> Not quite so.  See <http://blog.cr.yp.to/20140205-entropy.html> for an
> attack that exploits `harmless extra entropy'.  All zeros probably is
> harmless, sure -- but one might reasonably choose to disable RDRAND
> altogether and rummage in one's trouser pocket for a coin to flip
> instead.

That attack requires complete knowledge of all the entropy contributions.  But ok, my blanket statement was very slightly exaggerated.  For the CPU RNG as entropy source, though, there is no plausible way this applies.
> 
> One might wonder about the motivation for Linux's original
> architecture for RDRAND, which was to xor it directly into the output
> of /dev/urandom rather than treat it as a separate entropy source.

Right, that is not a good design.

> Thor isn't doing that, but I'm generally suspicious of treating it
> differently from other entropy sources and preventing the operator
> from disabling it.

I wouldn't treat it differently from any other source.

	paul