[Cryptography] Thoughts on hardware randomness sources

Thor Lancelot Simon tls at rek.tjls.com
Thu Sep 12 22:38:27 EDT 2013


On Tue, Sep 10, 2013 at 10:59:37AM -0400, Marcus D. Leech wrote:
> 
> Similarly, any hardware with an ADC input can be used as a hardware
> random noise source, simply by cranking up the gain to suitable
> levels  where the low-order bit is sampling thermal noise.

We looked briefly at this during one of my efforts to improve
entropy availability on small or embedded systems running NetBSD.
I was inspired by the insight on pages 12-13 of 
http://csrc.nist.gov/groups/ST/toolkit/documents/rng/TestingOSSources.pdf :

	"Some sources would require unworkably complex physical models:
	 * Interaction of air current flows, thermal flows, and supply
	   voltage inside PC case
	 * Change in supply voltage affects fan speed affects air flow
	   affects temperature affects PSU affects supply voltage

	[...]

	"Address failure via fault-tolerant design: [...] Many, many
	 entropy sources".

So I tore through the system looking for anything even indirectly
caused by physical variation or human interaction that we could measure
and inject into the entropy pool -- what's listed above, power plug
and battery state change / charge level, physical addresses of VM
system pages faulted in at various intervals, skew between clocks
potentially derived from separate oscillators on the motherboard, etc.
And at least on some systems, we do a pretty decent job getting those in.

The audio subsystem actually posed *two* obvious opportunities: amplifier
noise from channels with high final stage gain but connected by a mixer
to muted inputs, and clock skew between system timers and audio sample
clocks.  The former requires a lot of interaction with specific audio
hardware at a low level, and with a million different wirings of input to
mixer to ADC, it looks hard (though surely not impossible) to quickly
code up anything generally useful.  The latter would be easier, and it
has the advantage you can do it opportunistically any time the audio
subsystem is doing anything *else*, without even touching the actual
sample data.

Unfortunately, both of them burn power like the pumps at Fukushima,
which makes them poorly suited for the small systems with few other
sources of entropy which were one of my major targets for this.  So they
are still sitting on some back back back burner.  Someday, perhaps...

Thor


More information about the cryptography mailing list