[Cryptography] True RNG: elementary particle noise sensed with surprisingly simple electronics

Bill Cox waywardgeek at gmail.com
Fri Sep 16 23:57:17 EDT 2016


Oh... there are _so_ many points to debate here... However, please consider
the following argument: All a typical device needs is 256 bits of
randomness, ever.

Bear is entirely correct in pointing out that any device that has only 256
random bits can never generate 257 "random" bits.  We can only use more
than 256 bits from such a device if we take a leap of faith in some CPRNG.
So... let's' assume we can trust that SHA256(randSeedl + counter) is just
such a function, just as secure as a real TRNG, up to the 256 bit level of
unpredictability.

In this case, we don't actually need a high quality TRNG in every device.
We simply need a trustworthy secure source of random numbers to load into
each device we need to trust, probably only up to 256 bits, unless we're
paranoid about quantum attacks, and then only to 512 bits.  However, we do
require a very _secure_ method of providing each new device with it's own
256 (or 512) bit seed.

Now, to generate a trusted 256 (or 512) bit secure root seed for a set of
personal devices, all we need is a _really_ good TRNG for just this number
of bits.  My preferred TRNG is the one I build personally and carry in my
pocket (because I am a _huge_ geek), the "Infinite Noise Generator".
However, a simpler free program is just as good: simply record random key
events and/or mouse movements for a while until the SHA256 (or SHA512) of
these events is so unpredictable that the "surprise" is > 256 bits (or
512).  Just to be sure, use 10X more random inputs than the math says is
needed.

Then, use this secure seed to seed all your devices.

Anyway, the best commercial TRNG, IMO, is the OneRNG.  The best concept for
a TRNG is based on termal noise, and invented by Peter Allen: the Infinite
Entropy Multiplier (basically an analog modular rather than saturating
multiplier of thermal noise).  These devices provide convenience when you
are not sure if prior seeds are secure, but that is the primary reason we
need them.  We don't need them for every unpredictable value we need to
generate.

Bill
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20160916/eaddd7b1/attachment.html>


More information about the cryptography mailing list