Re: use of RDRAND in $random_library
Martijn van Oosterhout dijo [Fri, Jun 13, 2014 at 10:09:02AM +0200]:
> > Excuse me if I'm blunt here, but I understand that, on the point of
> > using entropy to seed a PRNG, if you have several shitty entropy
> > sources and one _really_ good one, and you xor them all together, the
> > resulting output is as random as the best of them. If your hardware
> > entropy source is faulted and produces just an endless stream of
> > '001001001001001001', xoring it with a valid Golomb sequence will give
> > you something even more random than a Golomb sequence.
> > Or am I misunderstanding my crypto?
> The proof that XORing streams can't reduce the entropy relies on the
> sources being independant. I think the issue here is we don't know if
> RDRAND is independent or not. That said, doing a SHA256 over the output
> should be sufficient (assuming the CPU doesn't see you're doing a hash and
> short circuits it).
Ofcourse. Were your CPU to have a SHA256-defeating algorithm, it would
have to detect the purpose it was being used for, or problems would be
easily detected :)