Re: Lightweight support for instruction RNGs

[Matthias Weckbecker <matthias%weckbecker.name@localhost>]

Hi Taylor,
Hi Greg, Thor,

On Tue, 22 Dec 2015 18:33:57 +0000
Taylor R Campbell <campbell+netbsd-tech-security%mumble.net@localhost> wrote:
>    Date: Tue, 22 Dec 2015 12:22:57 -0500
>    From: Greg Troxel <gdt%ir.bbn.com@localhost>
> 
>    I am only dimly following this, but I have two thoughts:
> 
>      I see the point that running randomness tests will not detect a
>      well-engineered attack.  But it probably will detect a large
>      class of implementation bugs, so it seems worth doing.
> 
>      Randomness tests on input, not normally accessible, could detect
>      a further class of bugs.
> 
>    I think agc's point is that all tests which are reasonably feasible
>    might as well be done, vs a claim that they will detect intentional
>    attacks.
> 
> On-line crypto self-tests with known-answer test vectors are a good
> way to make sure of that.  All the crypto code I have added to the
> tree has such self-tests.  The chance of passing the self-tests and
> failing to function on other inputs is tremendously slim (unless the
> compiler optimizes the self-test code away or something).

First and foremost: I do not disagree w/ you or anyone else in this
discussion.

What you may (or may not) be interested in though could be:

  The fragility of AES-GCM authentication algorithm
  http://eprint.iacr.org/2013/157.pdf

In short: 19 known-answer tests, 18 from the NIST spec itself, none
of them covered the implementation issue the authors discovered.

Despite that, I personally would probably tend to the "just-run-the
damn-thing." (dieharder) approach anyways.

Matthias