11

On a related note of building my own RNG, as someone suggested to use several commericial solutions how can I check if it is rigged against me? (although I am still strongly biased to a homebrew solution that is designed to be hard to subvert, taking the shortest possible route from a quantum random source to the ADC)

Community
  • 1
Maxthon Chan
  • 558
  • 3
  • 12
  • 2
    No way to tell really. The output of a CSPRNG would be indistinguishable from a TRNG. Only by inspecting what the actual hardware does would you be able to verify it. – otus Dec 14 '15 at 11:53
  • @otus I am okay with a good CSPRNG with a good entropy feed. The problem is about subverted RNGs like the ECDRBG NSA backdoor. How can I tell if my commercial RNG chip is rigged in that way? – Maxthon Chan Dec 15 '15 at 01:30

1 Answers1

6

While unfortunately that is not possible deterministically, if you have a small amount of "guaranteed trustworthy" randomness, you can use several untrusted RNGs together to generate an unlimited supply of good randomness (under some weak assumptions of non-signaling between the RNGs). This is called "randomness expansion" and I am not aware of any use in practice yet, unfortunately.

See these papers by Colbeck and Kent and Coudron and Yuen

Joe Bebel
  • 339
  • 1
  • 6