nathan.zook@amd.com wrote:
> As I recall from the press, the RNG calculates an
> index into a 2^16 byte array of "true random data", which means that the
> data is skewed by the fact that they are sampling a sample, even if the
> index is truly random. Presumably, every system has the same array, so it
> should be possible to find out what the entries are and see how bad the
> effect is.
If the output comes from an array lookup, 16 bits in and 8 out, then there's
a fairly obvious way they could optimise it. Kaisa Nyberg's Crypto 91 paper
"Perfect Nonlinear S-Boxes" has details.
> Third, we need to analize the indexing function to see how much entropy it
> has. We know that the final output has no more entropy than the indexing
> function. Furthermore, if there is any systematic bias to be expected, this
> will excaberate the problem of sampling a sample.
If there's at least 8 bits of entropy in the input 16 bits to one of Nyberg's
perfect s-boxes, the output is provably unbiased in a fairly strong sense.
On the other hand, random s-boxes with 8-bit inputs are used in ciphers like
Blowfish and Twofish. Small random s-boxes are problematic, but they get
better as the inout size grows. Intel's 16-bit-input box should be fine,
even if its random.
Also, building a 16 by 8 Nyberg s-box would be horrendously expensive
using any method that occurs to me.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Mon Jan 31 2000 - 21:00:12 EST