[Cryptography] True RNG: elementary particle noise sensed with surprisingly simple electronics

Jerry Leichter leichter at lrw.com
Sat Sep 17 20:14:35 EDT 2016 

>> Hardware that could do this exists.  In fact, many hundreds of millions
>> of instances of it are out there - perhaps right in your pocket.
> I think there are North of 200 Million RNGs of the type I'm partially to
> blame for, many of them in people's pockets.
> 
> I'm perplexed by the notion that you 'just' need 256 bits of entropy and
> then you can deal with it with PRNGs, storage and secure compute elements
> and things, as if the entropy source was the difficult bit. That post
> handling is of the order of 100X more complicated, power hungry and
> silicon area consuming than an entropy source, extractor and online health
> test that can produce 256 bits of entropy every microsecond, continuously.
> Non volatile storage in particular is a pig to render secure since you
> face the chicken and egg problem of where to store the key to protect the
> NVM? You could use PUFs, but some OTC PUF solutions require off chip flash
> for the helper data.
> 
> If a usable supply of cryptographically secure random numbers is required,
> just put a good RNG in your chip or board.
> 
> 10 years ago, a CSPRNG (complete with AES block) was faster per unit area
> and faster per Watt than entropy sources. These days, due to entropy
> sources getting smaller, faster than silicon process, the reverse is true.
> The same silicon area filled with entropy sources and extractors will be
> faster (or lower power or whatever variable you want to optimize) than the
> same area filled with a CSPRNG.
I have no problem with either approach, implemented correctly.

The area/power tradeoffs are relevant if you are making the choice of *adding* either a TRNG or a CSPRNG.  What I was pointing out is that if you're building a secure encryption facility of the sort Apple has tried to build, you get the CSPRNG for free.  Note that if you want a secure encryption facility of this sort, it will necessarily need to have secure NVM in it.  You're paying for that either way....

                                                        -- Jerry

More information about the cryptography mailing list