[Cryptography] The world's most secure TRNG
Bill Cox
waywardgeek at gmail.com
Sun Sep 28 07:27:57 EDT 2014
I have a quick question for you guys. For a USB stick TRNG, would you
rather pay ~$15 for a 100K-byte/second source of true entropy, or ~$30 for
a 1M-byte/second source?
I am currently designing a USB stick version of an INM to promote the
architecture. I plan to offer them for sale for what it costs me to build
them, which in low volume I expect to be around $15 to $30 depending on the
speed target. Schematics, board layout, and BOM will be made
public-domain. Current my target spec is 1MiB/second (mega-byte, not bit),
over USB 2.0, but some of the high-performance parts are expensive
(high-speed buffer, comparator, op-amp, and analog switch). Just using a
jelly-bean quad op-amp is super-cheap, but 20X slower.
The jelly-bean op-amp based versions are available on github, with LTspice
schematics and sims:
https://github.com/waywardgeek/infnoise
It's cheap, comparatively fast, and unlike other TRNGs, it's easy to get
right. It is 10X more fool-proof than any other TRNG I know of, simply
because of it's near immunity to signal injection, power supply noise,
cross-talk, etc. No shielding is required, and the power supply can be
noisy. No care needs to be taken with cross-talk between traces.
Attackers are welcome to inject strong signals into this TRNG, which simply
results in enhancing entropy, rather than subverting it. It turns out that
attackers make a nice source of entropy, and INMs add all sources, without
letting any saturate the signal.
Basically, TRNGs today generally amplify a noise source until it saturates
to a 0 or 1. Such systems are *very* hard to get right because they are so
sensitive to external noise. The right way to amplify the noise source is
with modular multiplication rather than saturating multiplication. It is as
simple as that.
There is some analysis on that page, and test-code to verify that the level
of entropy shifted out per bit, when the loop amplification is A, is:
E = log(A)/log(2)
For example, when using a gain of sqrt(2), rather than 2, each bit shifted
out contributes 1/2 bit to the entropy pool. I've written code to test the
entropy of INM output, and measurements on simulation data closely match
this equation.
At least for the most sensitive cryptography, I think we should stop using
zener noise, oscillator jitter, latch power-up state, and other TRNG
architectures that are highly sensitive to noise that could be controlled
by an attacker, and which are too hard for regular guys to get right on a
board.
Bill
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140928/9fa0de77/attachment.html>
More information about the cryptography
mailing list