They need to give NIST time to set up ENT certification (SP800-90B certs independent of FIPS 140-3) before they load them up with IoT stuff. We've been waiting a long time.
The NIST was typically sufficiently staffed to run many projects in parallel -- "was" because the past Presidential Administration (whose name shall not be mentioned) did not exactly espouse things like "standards" or "technology" or even "institutions" of any sort.
For those wondering, the final recommendation was made 3 years ago (Jan 2018) and is available here, https://csrc.nist.gov/publicat... [nist.gov]
The NIST was typically sufficiently staffed to run many projects in parallel -- "was" because the past Presidential Administration (whose name shall not be mentioned) did not exactly espouse things like "standards" or "technology" or even "institutions" of any sort.
For those wondering, the final recommendation was made 3 years ago (Jan 2018) and is available here, https://csrc.nist.gov/publicat... [nist.gov]
The spec is written - I should know, I (along with many others) contributed to that spec. The CBC-MAC vetted conditioning component - You can thank me for getting that in there and Prof Dodis for proving it's a good entropy extractor, but 90B entropy justification reports are submitted as part of a FIPS 140 application, specifically because there is no separate entropy certification. There are ACVT certs for SP800-90A, but no such certs for SP800-90B and of course 90C is still in draft form after all these years. 90C is currently undergoing a big update and 90B is undergoing a small update to clean up after I.G. 7.19 and the draft 7.20.
This is a mess. If you design and sell RNG hardware, you can get a cert for the SP800-90A half of it, but your customer putting the RNG in a FIPS module needs to submit your 90B entropy justification with their FIPS 140 application. With the ENT certs in place (ENT is what NIST is calling it - it's not my name), you as an RNG maker can get both parts certified and your customer can just point to your certs on the NIST website and do their FIPS 140 certification without having to bother you or sign NDAs or any of that hassle.
I've been meaning to ask you something. I'm familiar with rdrand. Is there an instruction that will get the random value PRIOR to the AES conditioner?
I noticed something about the corrector and the gambler's fallacy. I was curious to check actual output to see if my thought about what should happen actually DOES happen.
>I'm familiar with rdrand. Is there an instruction that will get the random value PRIOR to the AES conditioner?
Nope. Because that would lead to all sorts of potential security problems. You wouldn't want a program executing that instruction while you were using the random numbers for cryptographic purpose in a separate process or vm on the same cpu.
But we do make such data available on request, usually for people seeking certification or doing research.
By "corrector and the gambler's fallacy" are you ref
Let me start by saying I'm not suggesting that the RNG is broken in any meaningful way. I'm also aware that you understand it far, far better than I do. I'm merely curious about a behavior midway in the system, before the final output is generated.
> By "corrector and the gambler's fallacy" are you referring to the research on adversarial entropy sources?
Here's the basic thought I had. As you probably know, the gambler's fallacy is the idea that if the roulette wheel lands in red 8 times in a row, it's
The feedback in the entropy source is to keep the metastable core metastable.
This leads to a small amount of serial correlation so the longer strings of the same value happen less frequently that they would in a uniform distribution of bits. This means the entropy level is not 100%. Then that data goes into an entropy extractor, which is like a distillation process. Dilute entropy goes in, concentrated entropy comes out. No more entropy comes out that in, just like with distillation, no more alcohol comes ou
Thanks for that. I had listened to one of your talks a while back and thought how clever that feedback circuit was. Later, I had this thought pop into my head "hey wait a minute... that's explicitly making it non-random".:)
Maybe I'll get your book, because I have an odd fascination with computer randomness. Only thing is, once I start a book I generally don't sleep until I finish it, so I'll need to find a day to devote to random uninterrupted.
NIST (Score:2)
They need to give NIST time to set up ENT certification (SP800-90B certs independent of FIPS 140-3) before they load them up with IoT stuff. We've been waiting a long time.
Re: (Score:3)
For those wondering, the final recommendation was made 3 years ago (Jan 2018) and is available here, https://csrc.nist.gov/publicat... [nist.gov]
Re:NIST (Score:4, Informative)
The NIST was typically sufficiently staffed to run many projects in parallel -- "was" because the past Presidential Administration (whose name shall not be mentioned) did not exactly espouse things like "standards" or "technology" or even "institutions" of any sort.
For those wondering, the final recommendation was made 3 years ago (Jan 2018) and is available here, https://csrc.nist.gov/publicat... [nist.gov]
The spec is written - I should know, I (along with many others) contributed to that spec. The CBC-MAC vetted conditioning component - You can thank me for getting that in there and Prof Dodis for proving it's a good entropy extractor, but 90B entropy justification reports are submitted as part of a FIPS 140 application, specifically because there is no separate entropy certification. There are ACVT certs for SP800-90A, but no such certs for SP800-90B and of course 90C is still in draft form after all these years. 90C is currently undergoing a big update and 90B is undergoing a small update to clean up after I.G. 7.19 and the draft 7.20.
This is a mess. If you design and sell RNG hardware, you can get a cert for the SP800-90A half of it, but your customer putting the RNG in a FIPS module needs to submit your 90B entropy justification with their FIPS 140 application. With the ENT certs in place (ENT is what NIST is calling it - it's not my name), you as an RNG maker can get both parts certified and your customer can just point to your certs on the NIST website and do their FIPS 140 certification without having to bother you or sign NDAs or any of that hassle.
Re: (Score:3)
As to the previous administration, yes indeed they did dump on the NIST employees. I have no argument with that.
A mostly unrelated question (Score:2)
I've been meaning to ask you something.
I'm familiar with rdrand. Is there an instruction that will get the random value PRIOR to the AES conditioner?
I noticed something about the corrector and the gambler's fallacy. I was curious to check actual output to see if my thought about what should happen actually DOES happen.
Re: (Score:2)
>I'm familiar with rdrand. Is there an instruction that will get the random value PRIOR to the AES conditioner?
Nope. Because that would lead to all sorts of potential security problems. You wouldn't want a program executing that instruction while you were using the random numbers for cryptographic purpose in a separate process or vm on the same cpu.
But we do make such data available on request, usually for people seeking certification or doing research.
By "corrector and the gambler's fallacy" are you ref
Re: (Score:2)
Let me start by saying I'm not suggesting that the RNG is broken in any meaningful way. I'm also aware that you understand it far, far better than I do. I'm merely curious about a behavior midway in the system, before the final output is generated.
> By "corrector and the gambler's fallacy" are you referring to the research on adversarial entropy sources?
Here's the basic thought I had. As you probably know, the gambler's fallacy is the idea that if the roulette wheel lands in red 8 times in a row, it's
Re: (Score:2)
The feedback in the entropy source is to keep the metastable core metastable.
This leads to a small amount of serial correlation so the longer strings of the same value happen less frequently that they would in a uniform distribution of bits.
This means the entropy level is not 100%. Then that data goes into an entropy extractor, which is like a distillation process. Dilute entropy goes in, concentrated entropy comes out. No more entropy comes out that in, just like with distillation, no more alcohol comes ou
Re: (Score:2)
Thanks for that. I had listened to one of your talks a while back and thought how clever that feedback circuit was. Later, I had this thought pop into my head "hey wait a minute ... that's explicitly making it non-random". :)
Maybe I'll get your book, because I have an odd fascination with computer randomness. Only thing is, once I start a book I generally don't sleep until I finish it, so I'll need to find a day to devote to random uninterrupted.
Re: (Score:2)
It would be a lot less random without the feedback. You need sigma_n > 10*sigma_m. The feedback drags sigma_m down.
Be careful meddling with computer randomness - it might take over your career - look at me for example.