3

I will be using a tRNG to generate EC keypairs on a Secure Integrated Controller.

I need to demonstrate I, the issuer, can not know the private key without colluding with the user to obtain it, even if the tRNG is weak. I also don't want to reveal the private key to the user, only the public key.

I'm thinking a scheme along these lines:

Data from an external (user-provided) source of randomness is concatenated with data from the tRNG. The result is hashed and used as an EC private key. The EC public key is calculated from the private key, and a zero-knowledge proof is used to demonstrate that the external randomness was used to generate the private secret that corresponds to that public key.

I prefer the solution with the lowest implementation complexity that will work within my performance constraints. Preferably, I want to use the standard EC operations and common hash functions as much as possible.

WindowCleaner
  • 31
  • 2

1 Answers1

-2

Excellent question. "prove that the RNG process is not somehow backdoored"

You can't. Robert A. Heinlein said “Love your country, but never trust its government.”

It's mathematically impossible and thus called computational indistinguishability. The NSA/MSS can feed you numbers that look truly random from sources/devices they control and yet are entirely predictable given their secret designs. It is not in their national interest to allow people access to true randomness as that facilitates private conversations. And no security service wants that.

The only way to prove that a TRNG is not backdoored is to build it yourself. It's not that hard. Zener diodes and webcams are your friends. If you're serious, there are online articles that can help you, or there is reallyreallyrandom.com.

And how can you trust "Data from an external (user-provided) source of randomness"? Is that under the influence of NSA/MSS? How would you know?

Buy diodes.

Paul Uszak
  • 15,905
  • 2
  • 32
  • 83