[Cryptography] True RNG: elementary particle noise sensed with surprisingly simple electronics

[dj at deadhat.com]

On 9/17/16 6:16 AM, Jerry Leichter wrote:
>>
> Hardware that could do this exists.  In fact, many hundreds of millions
of instances of it are out there - perhaps right in your pocket.

I think there are North of 200 Million RNGs of the type I'm partially to
blame for, many of them in people's pockets.

I'm perplexed by the notion that you 'just' need 256 bits of entropy and
then you can deal with it with PRNGs, storage and secure compute elements
and things, as if the entropy source was the difficult bit. That post
handling is of the order of 100X more complicated, power hungry and
silicon area consuming than an entropy source, extractor and online health
test that can produce 256 bits of entropy every microsecond, continuously.
Non volatile storage in particular is a pig to render secure since you
face the chicken and egg problem of where to store the key to protect the
NVM? You could use PUFs, but some OTC PUF solutions require off chip flash
for the helper data.

If a usable supply of cryptographically secure random numbers is required,
just put a good RNG in your chip or board.

10 years ago, a CSPRNG (complete with AES block) was faster per unit area
and faster per Watt than entropy sources. These days, due to entropy
sources getting smaller, faster than silicon process, the reverse is true.
The same silicon area filled with entropy sources and extractors will be
faster (or lower power or whatever variable you want to optimize) than the
same area filled with a CSPRNG.

Shrinking entropy sources comes from (a) better circuits and (b) better
extractor theory.
I haven't noticed similar improvements in CSPRNGS. Much of the
'lightweight' PRNG work seems to have been aimed at trading off area for
security level.

DJ