[cryptography] True RNG: elementary particle noise sensed with surprisingly simple electronics

dj at deadhat.com dj at deadhat.com
Thu Sep 15 17:04:27 EDT 2016

> Hi!
> A true random number generation strategy is no better than its
> trustworthiness. Here is a suggestion for a simple scheme which rests on
> a common digital electronic design.
> Unavoidable current noise source:
>   - thermal noise
>   - excess current noise caused by the above resistor material
> construction
> Noise sources to be reduced (as a matter of sampling approach coherency)
>   - electrostatic ...
>   - electromagnetic ...
> Any thoughts?


A) Can you build 100,000,000 and expect them all to work?
B) Can you expect the those 100,000,000 resistors to behave in a
consistent manner or will the supplier switch compounds on you while you
aren't looking.  If you try and buy a paper-oil cap today, you'll get a
poly pretending to be paper-oil. I assume it's the same for obsolete
resistor compounds.
C) What are the EM injection opportunities to measured noise? Can you
saturate the inputs?
D) How are you planning to characterize the min entropy of the source? We
know the min entropy of well defined Gaussian noise, but what about shot,
1/f and all the other weirdy distributions?
  D_a) Can you distinguish that noise from system noise that might be
systematic rather than entropic.
E) Do you have an extractor algorithm in mind that is proven to work at
the lower bound for the min entropy you expect from the source?
F) Are you wanting computational prediction bounds at the output of the
extractor or do you want H_inf(X) = 1.
  F_1) If you want the entropy answer, then you need to consider multiple
input extractors.
  F_2) Oh, and quantum-safe extractors are a thing now.
G) Are any certifications required. In my experience P(Y) -> 1 as t ->
infinity. Projects who swore up and down that they weren't doing FIPS
would come back 2 years later, with a finished chip and ask "Can this be
FIPS certified", after a customer made their requirements clear.

That's my usual list of questions. They may or may not apply to your

More information about the cryptography mailing list