RNG: is it possible to spoil /dev/random by seeding it from (evil) TRNGs (was: howto secure older keys after the recent attacks)

dan at geer.org dan at geer.org
Tue Oct 9 13:58:35 CEST 2012

I consulted a non-list-reading colleague who knows
rather a lot about randomness.  He writes:

>       here's my reply;  i dunno whether it counts
>  as an example of evil per se:
>       the bigger problem with manufactured
>  entropy sources is that rigorous unit testing
>  at the factory usually is just impossible.
>  it just takes too long to gather a few hours
>  of bits from every unit, then do the exhaustive
>  statistical testing, again for every unit.
>      indeed, it seems likely to me that when
>  a CPU vendor sells CPU chips with integrated
>  TRNG circuits, some of the chips will surely
>  come off the fabrication line with defective
>  TRNGs, just as some CPU chips get made with
>  defective ALUs, memory, etc.  the bad logic
>  circuits get caught by exhaustive pre-ship
>  testing, and those chips don't get sold.  but
>  given that rigorous testing of the TRNG circuit
>  is so expensive, it's my guess that the CPU
>  vendor surely must just unwittingly ship the
>  CPUs that happen to have obscurely bad TRNGs.


More information about the Gnupg-users mailing list