hardware RNG
Bill Stewart
bill.stewart at pobox.com
Tue Sep 10 00:13:32 PDT 2013
At 04:28 PM 9/9/2013, Juan Garofalo wrote:
> Creating hardware rngs for individual PCs or phones or
> similar devices isn't really hard. We don't need to rely on a
> multibillion american corporation like intel to produce some
> state-of-the-art circuitry. There are applications that need a fast
> stream of random numbers, but those applications are not the
> applications end users run on their devices for security purposes -
> Did I get the general idea right?
Except for security purposes, most people who need a lot of random
numbers are doing things like simulation or generating events in
games, so they need a source with very good statistics about
independence and uncorrelatedness, but don't mind if it's predictable
(and in fact being predictable can be useful, since you can run the
same random data stream against different versions of your
application and see if it performed better or worse). For those
people, a statistically good pseudorandom number generator is usually
just fine, and if it's cryptographically secure that's nice but only
because crypto stuff needs to be statistically good. Fast on-chip
hardware random number generation is useful to non-security people
because it's also likely to be statistically good.
Security's different, of course. In a typical client-server or
peer-to-peer environment, a client or peer isn't going to be
generating a lot of random session keys per second, much less a lot
of high-strength long-term-use public keys, so the only reason
performance matters is that you don't want the user to use a
too-short key because generating a long enough key would have taken
15 minutes or required them to wave a mouse around for a long
time. A web server or mail server or sometimes a peer with a lot of
traffic (e.g. a Tor node) is a different case; they might handle
enough traffic that fast strong hardware random number generation is
necessary, and they're also the more interesting targets for Bad Guys
to attack.
The other set of security people who want a large quantity of really
good random numbers are people who use one-time pads. Most of them
are either hobbyists (who can wait), or actually
military/spies/anti-government activists (who are going to ship keys
around by courier, which is slow, so they should be willing to
generate them in advance), or paranoids (who don't trust public-key
crypto, or who don't trust their hardware not to have backdoors, so
they've got lots of challenges.) Using OTPs in a professional
environment is operationally expensive; you should be willing to
spend money on hardware if you're doing it.
More information about the cypherpunks
mailing list