Hardware RNGs are overrated
Posted Apr 26, 2012 19:21 UTC (Thu) by intgr
Parent article: Quantum random numbers
TL;DR: Pointless excercise in practice, already solved by cryptographers. I have a cheaper, faster and more secure random number generator under my desk.
Hardware RNGs are overrated. When used for security-sensitive purposes (e.g. cryptography), they always have the fundamental problem that it's hard to tell a malfunctioning RNG from well-functioning one -- unlike most other perihperals. Or the device may be outputting seemingly random numbers, but have a deliberate built-in bias, with the "key" for detecting/predicting this bias only known to the device manufacturer.
To prevent the above problems, random numbers used in cryptography should always be fed through a cryptographic PRNG, to generate another set of random numbers which have well-known security properties. One of these properties is that it's computationally infeasible to distinguish a cryptographic PRNG from true randomness -- a guarantee that this device's authors explicitly disclaim!
The amount of true randomness needed to seed a PRNG securely is rather low -- a mere 256 bits of unpredictable data is more than enough to prevent any Earth-bound attacker from guessing or predicting the output. You get that amount of entropy from the rounding error in 256 stochastic timer measurements -- such as interrupt timings. Since every output bit of a PRNG is functionally dependent on every input bit, you don't even need to know which input bits are random. It may well be 256 random bits amoung 10MB of zeroes, and you would be no less secure because of it.
What about speed? Well, AES is a popular component in cryptographic PRNGs. My aging quad-core Phenom II CPU -- without hardware AES support -- gives these results to
openssl speed aes -multi 4:
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
aes-128 cbc 515754.42k 802637.25k 948130.05k 1009894.06k 1023385.60k
aes-192 cbc 404566.60k 700272.79k 791805.87k 840740.18k 710834.04k
aes-256 cbc 388939.03k 611864.38k 631131.22k 714418.52k 713521.83k
Yes, that's 713 MByte/s or 5.7 Gbit/s of random numbers at the 256-bit security level (quite a coincidence).
to post comments)