[Libre-soc-dev] [OpenPOWER-HDL-Cores] microwatt grows up LCA2021

[Paul Mackerras]

On Sun, Jan 31, 2021 at 01:08:18PM +0000, Luke Kenneth Casson Leighton wrote:
> (context of link: analysis process for testing RNGs)
> https://github.com/betrusted-io/betrusted-soc/issues/13
> 
> paul the last question asked, about the RNG, slapped wrist for saying it
> can be trusted to be secure! :)

I took the question as a practical question, and as far as I recall I
didn't say anything absolute or theoretical.

> mathematically, nobody can give guarantees (ever), in a nutshell the only
> thing you can say 100% is, "no nightmare scenario has occurred... so far".

That's all you can say about any crypto system.  I personally would
rather trust an FPGA that I have programmed myself and where the logic
is simple enough that it is highly unlikely that any
maliciously-introduced correlation could be present, than the HWRNG in
as ASIC where I have no idea what's really producing the numbers.

> there are "degrees of catastrophic breakage" that can be demonstrated
> quicker with less resources, these eliminate the worst algorithms quickly.
>  over time you have to spend progressively more resources to find the ways
> in which to find broken-ness, and the really good algorithms survive that
> process far longer...
> 
> ... but nobody, not ever, can make a categorical statement, "this
> cryptographic algorithm is secure".

So, therefore you can never use any cryptographic device?  All I said
about the microwatt RNG is that it would be reasonable to use it for
cryptography, and that still seems true to me.  I have run dieharder
for days on it without seeing any concerning results.  If you know any
other good randomness tests, I could run them too.

> ultimately there is no 100% categorical test which proves security.  the
> best that can be done is a process which cautiously declares, "it ain't
> broke... so far"
> 
> sorry for picking up on that and nit-picking :)

Apology accepted. :)

Paul.