[cryptography] True RNG: elementary particle noise sensed with surprisingly simple electronics

Thierry Moreau thierry.moreau at connotech.com
Thu Sep 15 20:26:00 EDT 2016


Thank you for this quick feedback.

On 15/09/16 09:04 PM, dj at deadhat.com wrote:
>> Hi!
>>
>> A true random number generation strategy is no better than its
>> trustworthiness. Here is a suggestion for a simple scheme which rests on
>> a common digital electronic design.
>>
> [...]
>> Unavoidable current noise source:
>>    - thermal noise
>>    - excess current noise caused by the above resistor material
>> construction
>> Noise sources to be reduced (as a matter of sampling approach coherency)
>>    - electrostatic ...
>>    - electromagnetic ...
>>
>> Any thoughts?
>>
>
> Yes.
>
> A) Can you build 100,000,000 and expect them all to work?

No. The stated goal is to provide some scheme that a few wise guys may 
trust. So, building 20 units and having you as a satisfied user would be 
a more realistic goal. Microsoft and Apple seem to be trusted by the crowd.

> B) Can you expect the those 100,000,000 resistors to behave in a
> consistent manner or will the supplier switch compounds on you while you
> aren't looking.  If you try and buy a paper-oil cap today, you'll get a
> poly pretending to be paper-oil. I assume it's the same for obsolete
> resistor compounds.

This brings the question of characterization of cheap material procured 
from the mass market channels. Obviously it is part of the detailed 
crafting process.

Realistically, one would be able to avoid the trouble here, e.g. by
buying a few rolls of 5000 resistors from a few manufacturers.

> C) What are the EM injection opportunities to measured noise? Can you
> saturate the inputs?

Also part of the implementation details to watch. This small circuit may 
be located in a Faraday cage. Hopefully its internals will remain tamper 
evident for a very paranoiac user.

About input saturation, the expected result of experimentation (with 
analysis) is some confidence that current noise is the main source of 
data fluctuation (I do not state which statistic to apply here for "data 
fluctuation"), and then EM could hardly induce the relevant resistor 
currents without e.g. a large coil within a short distance. Admittedly, 
this is not a definitive answer for a very paranoiac user.

Do you have a scheme overall immune to EM injection opportunities? Is 
the complexity of this scheme such that every external influence 
opportunities may be ruled out?

> D) How are you planning to characterize the min entropy of the source? We
> know the min entropy of well defined Gaussian noise, but what about shot,
> 1/f and all the other weird distributions?
>    D_a) Can you distinguish that noise from system noise that might be
> systematic rather than entropic.

Two aspects: entropy and the inherently compound measurement of multiple 
(and little understood) noise source ("noise from system" might be 
rather vague for a physicist).

About compound measurement, careful crafting of the wheatstone bridge 
(and its excitation voltage source) is expected to provide some 
assurance that current noise (thermal noise and excess current noise 
from resistor material properties) is the foremost contributor to data 
fluctuations.

Min entropy characterization: no definite plan. The raw 24 bits samples 
will be available for attempts at distribution characterization. I 
suspect however that a paranoiac user will fear that after gigabytes of 
data fed to the characterization process, the source might suddenly turn 
low entropy when the data is switched to the cryptographic random secret 
generation process.

> E) Do you have an extractor algorithm in mind that is proven to work at
> the lower bound for the min entropy you expect from the source?

I might have ideas in this area of concern but "proven extractor 
algorithm" is something orthogonal to the source: a proven algo would 
have its proof for a given "min entropy" abstract concept.

> F) Are you wanting computational prediction bounds at the output of the
> extractor or do you want H_inf(X) = 1.
>    F_1) If you want the entropy answer, then you need to consider multiple
> input extractors.
>    F_2) Oh, and quantum-safe extractors are a thing now.

These questions, which I do not understand fully, would be orthogonal to 
the source.

> G) Are any certifications required. In my experience P(Y) -> 1 as t ->
> infinity. Projects who swore up and down that they weren't doing FIPS
> would come back 2 years later, with a finished chip and ask "Can this be
> FIPS certified", after a customer made their requirements clear.

This question need not be addressed now ( P(Y) unknown as t=0! ).

> That's my usual list of questions. They may or may not apply to your
> situation.

Thanks for sharing this.

- Thierry Moreau



More information about the cryptography mailing list