[liberationtech] Random number generation being influenced - rumors

[coderman]

On Sat, Sep 7, 2013 at 10:26 AM, Eugen Leitl <eugen at leitl.org> wrote:
> ...
> There is a hardware RNG in the AMD Geode LX. I tried very hard to
> find any documentation, but found effectively nothing.
>
> Am I that bad at searching, or this really a black box?

the only decent on-die RNG i have used was XSTORE[0] from VIA Padlock
which allowed you very high speed access to the raw, unwhitened output
of the hardware RNG sourece(s). you could read from both at twice the
rate for maximum throughput.

it was then up to a user-space daemon to read this raw source and
perform cursory and long-lived checks, even benchmarks against large
volumes of TBytes of output for extended confirmation (looking at you
DIEHARDER).

the user-space daemon, having then verified the hardware entropy
sources, performs computation blinding and compression (e.g. hashing
or bocl ciphering) and mixes this obfuscated entropy with the kernel
entropy pool via write to /dev/random.

RDRAND/RDSEED can not be used a trusted manner with access to the
unwhitened, raw output.

the AMD768 RNG has not produced a detailed design like XSTORE and
cryopgraphy research, nor does it support the raw mode like needed,
always reading some "4 bytes:" of randomness (IIRC).

there are USB and other external sources for entropy if your CPU does
not support it, of course. these are useful to augment any userspace
entropy daemons like Havegd.


0. "Evaluation of C3 Nehemiah Random Number Generator"
  http://www.cryptography.com/public/pdf/VIA_rng.pdf