Date: Tue, 11 Mar 2025 09:00:15 -0700
On Tuesday, 11 March 2025 07:47:53 Pacific Daylight Time Sebastian Wittmeier
via Std-Proposals wrote:
> AFAIK (no crypto expert), what you would want in that case is a
> "cryptographic hash function" (=practically non-reversible), which you use
> with a salt to prevent dictionary attacks.
You're correct in general, but AES and other encryption techniques can be used
for this too. The HWRNG in Intel processors does use AES to "smooth out" the
output of the internal generator. That's probably because the AES circuitry
had existed for two generations when RDRAND was introduced in 2013, but the
SHA new instructions weren't added until much more recently.
Also one of the reasons some skeptics decided to not use the HWRNG
(exclusively or at all): you can't tell from the outside if the output is
random, AES-smoothed random, or a CTR-mode AES encryption of a specific seed.
via Std-Proposals wrote:
> AFAIK (no crypto expert), what you would want in that case is a
> "cryptographic hash function" (=practically non-reversible), which you use
> with a salt to prevent dictionary attacks.
You're correct in general, but AES and other encryption techniques can be used
for this too. The HWRNG in Intel processors does use AES to "smooth out" the
output of the internal generator. That's probably because the AES circuitry
had existed for two generations when RDRAND was introduced in 2013, but the
SHA new instructions weren't added until much more recently.
Also one of the reasons some skeptics decided to not use the HWRNG
(exclusively or at all): you can't tell from the outside if the output is
random, AES-smoothed random, or a CTR-mode AES encryption of a specific seed.
-- Thiago Macieira - thiago (AT) macieira.info - thiago (AT) kde.org Principal Engineer - Intel DCAI Platform & System Engineering
Received on 2025-03-11 16:00:23