Re: Good enough for crypto?
From: Scott Wilber (swilber_at_comscire.com)
Date: 12/02/03
- Next message: Scott Wilber: "Re: Good enough for crypto?"
- Previous message: Scott Wilber: "Re: Good enough for crypto?"
- In reply to: David Wagner: "Re: Good enough for crypto?"
- Next in thread: Mok-Kong Shen: "Re: Good enough for crypto?"
- Reply: Mok-Kong Shen: "Re: Good enough for crypto?"
- Reply: Terry Ritter: "Re: Good enough for crypto?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 1 Dec 2003 21:53:23 -0800
daw@taverner.cs.berkeley.edu (David Wagner) wrote in message news:<bqeku4$6e7$1@agate.berkeley.edu>...
> Scott Wilber wrote:
> >The references from which you snipped this one were written by others,
> >not by ComScire or myself. I believe that Robert Davies was
> >evaluating random number generators for use in a New Zealand lottery,
> >an application where more than statistics alone are considered
> >crucial. After all, a good pseudorandom generator would serve
> >perfectly will from a statistical point of view, but you won't find
> >any lotteries that would accept one for drawing their numbers.
> >
> >In any case, the references were given merely as an example that
> >ComScire has been around a long time and that our generators are well
> >known and well respected.
>
> Right. I understand that. My point was merely that none of the
> references you quoted analyzed the system in enough technical depth
> to satisfactorily assess its suitability for cryptographic purposes.
> If you know of any other, more detailed evaluations, there would probably
> a number of interested readers.
I agree, and we never paid an "independent" company to write a white
paper on our behalf. You can be sure that the companies that did do
their analyses and write their papers did not do so simply out of the
kindness of their hearts.
Between the information presented in this thread and the detailed
technical descriptions given on our website, I should think that a
skilled engineer could (almost, there is some art involved with
layout, part selection and such) build a comparable generator, either
hardware or software-based.
If there are any other specific details that you would like to know,
just ask.
>
> This in no way is meant to imply that the ComScire generator is not secure
> enough for cryptography, or that no such analysis has ever been performed.
> The ComScire device may well be more than adequate. My point is only
> that I have yet to see a fully satisfying technical assessment of the
> randomness of the ComScire device and its suitability for cryptography.
> The same can be said of many other hardware random number devices;
> I don't mean to single out ComScire in this respect.
Our generators have been tested and analyzed by some very well known
experts in the field, but we do not and will not utilize their
feedback for commercial purposes without their explicit permission,
which we also never ask for. In other words they must choose to
publish the information on their own.
>
> On the other hand, the Intel RNG and the VIA Nehemiah RNG are nice
> examples of RNG's where I have seen fairly substantial analysis of their
> suitability for generating crypto-quality randomness. (Too bad that the
> Intel has stopped shipping their RNG, and that the VIA RNG is not widely
> deployed on the desktop.)
I must differ with your opinion of the VIA rng. Even though
sufficient detail is probably available to analyze the actual entropy
in their generator,
( http://www.via.com.tw/en/viac3/via_c3_padlock_evaluation.pdf ) their
analysis relies primarily on statistical measurements and arguments to
persuade us that the output is "true random." They also make the
assertion that entropy adds linearly: a reasonable approximation when
the entropy being added is very low, but obviously incorrect at higher
entropy levels. This is a fundamental error. (See p11 of the
referenced document.)
We have developed precise mathematical models for this type of random
generator (HF oscillator sampled by jittery LF oscillator) so that an
actual estimate of the entropy may be computed. Having built,
analyzed and tested dozens of variations of these oscillator over the
past years, it seems fairly clear that the VIA generator is more
chaotic complexity than true randomness for the bit rates they claim.
They may be presently unpredictable due to that level of complexity,
but only true randomness will always remain unpredictable.
On the other hand, our analysis of Intel's generator disclosed more
than adequate entropy supply to support their true random bit rate
claims.
>If other hardware RNG vendors were inspired
> to conduct similarly informative independent evaluations of their own
> RNG's, that wouldn't be a bad thing...
I totally agree with the informative and independent part, but how do
you pay someone to be independent?
Scott
- Next message: Scott Wilber: "Re: Good enough for crypto?"
- Previous message: Scott Wilber: "Re: Good enough for crypto?"
- In reply to: David Wagner: "Re: Good enough for crypto?"
- Next in thread: Mok-Kong Shen: "Re: Good enough for crypto?"
- Reply: Mok-Kong Shen: "Re: Good enough for crypto?"
- Reply: Terry Ritter: "Re: Good enough for crypto?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
