<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Sun, Dec 8, 2013 at 10:23 PM, Phillip Hallam-Baker <span dir="ltr"><<a href="mailto:hallam@gmail.com" target="_blank">hallam@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">
<div>What about RF emissions made by the circuit?</div><div><br></div><div>This contraption seems like it would bleed its output into the RF spectrum. </div><span class=""><font color="#888888">
<div> </div></font></span></div><span class=""><font color="#888888">-- <br>Website: <a href="http://hallambaker.com/" target="_blank">http://hallambaker.com/</a><br>
</font></span></div></div>
</blockquote></div><br></div><div class="gmail_extra"><font face="arial, sans-serif"><span style="font-size:19px">Like any clocked digital chip, it will put out some RF, though I expect it to be low. This is a slow low power .35u CMOS process, with about 0.4 milliwatt of power per Infinite Noise Multiplier, and there will be 16 of those. The clocked comparator in each INM is differential, and should generate nearly the same power spike for a 1 or a 0. All other power drawn by each INM is in the form of constant current sources in the voltage buffers, so they should be very hard to read from noise on external power pins. Shorting the .1pF caps to each other on clock edges doesn't impact AVDD or AVSS currents, and also should not be detectable from external power pins. I do not know if this would be detectable from outside the package with an RF detector. Does anyone have a cool application for microcontroller with a true RNG that needs super-secret random data that remains secret even when the attacker has a logic analyzer attached to the chip and some sort of RF detector? I would need advice on what sorts of on-chip events are detectable. I don't have any equipment capable of detecting such low level RF spikes.</span></font><div style="font-family:arial,sans-serif;font-size:19px">
<br></div><div style="font-family:arial,sans-serif;font-size:19px">I had some fun yesterday and wrote code to predict the output bits based on the previous 8. It achieved a 74.5% success rate predicting the SPICE output, which is about what I expected. Today wrote code to eliminate most of the bias and correlations as a post-process, and it defeats my prediction code. The algorithm is pretty cool. I think I can get the data to be around 99% free of correlation and bias, while compressing this data by about 2X. This would make the bias drop by a factor of 0.02 for each compressed bit XORed together, rather than the 0.5 I get now, meaning I get about a 2.8X improvement in output rate at the same quality. That would provide bits with no more than about 1e-24 of non-randomness leading to a rate of about 5 M-bits/sec.</div>
<div style="font-family:arial,sans-serif;font-size:19px"><br></div><div style="font-family:arial,sans-serif;font-size:19px">The bias/correlation removal algorithm has two parts. First, read about a megabyte (8 seconds worth) from a given channel, and use it to gather prediction statistics. For each place a given 8-bit sequence occurs, record how many times the next bit is a 1 and how many times it's a 0 in arrays called 'zeros' and 'ones'. Then, as bits come in, I run the following C code to remove the detected bias and correlation:</div>
<div style="font-family:arial,sans-serif;font-size:19px"><br></div><div><div><font face="arial, sans-serif"><span style="font-size:19px">void removeBias(int *data, int length) {</span></font></div><div><font face="arial, sans-serif"><span style="font-size:19px"> double prob, lower = 0.0, upper = 1.0;</span></font></div>
<div><font face="arial, sans-serif"><span style="font-size:19px"> int i;</span></font></div><div><span style="font-size:19px;font-family:arial,sans-serif"> unsigned char value = 0;</span><br></div><div><font face="arial, sans-serif"><span style="font-size:19px"> for(i = 0; i < length; i++) {</span></font></div>
<div><span style="font-size:19px;font-family:arial,sans-serif"> if(data[i]) {</span><br></div><div><font face="arial, sans-serif"><span style="font-size:19px"> prob = ((double)zeros[value])/(ones[value] + zeros[value]);</span></font></div>
<div><font face="arial, sans-serif"><span style="font-size:19px"> lower += prob*(upper - lower);</span></font></div><div><font face="arial, sans-serif"><span style="font-size:19px"> } else {</span></font></div>
<div><font face="arial, sans-serif"><span style="font-size:19px"> prob = ((double)ones[value])/(ones[value] + zeros[value]);</span></font></div><div><font face="arial, sans-serif"><span style="font-size:19px"> upper -= prob*(upper - lower);</span></font></div>
<div><font face="arial, sans-serif"><span style="font-size:19px"> }</span></font></div><div><font face="arial, sans-serif"><span style="font-size:19px"> while(lower >= 0.5 || upper <= 0.5) {</span></font></div>
<div><font face="arial, sans-serif"><span style="font-size:19px"> if(upper <= 0.5) {</span></font></div><div><font face="arial, sans-serif"><span style="font-size:19px"> upper *= 2.0;</span></font></div>
<div><font face="arial, sans-serif"><span style="font-size:19px"> lower *= 2.0;</span></font></div><div><font face="arial, sans-serif"><span style="font-size:19px"> printf("0");</span></font></div>
<div><font face="arial, sans-serif"><span style="font-size:19px"> } else {</span></font></div><div><font face="arial, sans-serif"><span style="font-size:19px"> printf("1");</span></font></div>
<div><font face="arial, sans-serif"><span style="font-size:19px"> upper = 2.0*upper - 1.0;</span></font></div><div><font face="arial, sans-serif"><span style="font-size:19px"> lower = 2.0*lower - 1.0;</span></font></div>
<div><font face="arial, sans-serif"><span style="font-size:19px"> }</span></font></div><div><span style="font-size:19px;font-family:arial,sans-serif"> }</span><br></div><div><div><font face="arial, sans-serif"><span style="font-size:19px"> value <<= 1;</span></font></div>
<div><font face="arial, sans-serif"><span style="font-size:19px"> if(data[i]) {</span></font></div><div><font face="arial, sans-serif"><span style="font-size:19px"> value |= 1;</span></font></div><div><font face="arial, sans-serif"><span style="font-size:19px"> }</span></font></div>
<div><font face="arial, sans-serif"><span style="font-size:19px"> }</span></font></div><div><font face="arial, sans-serif"><span style="font-size:19px"> printf("\n");</span></font></div><div><font face="arial, sans-serif"><span style="font-size:19px">}</span></font></div>
<div style="font-family:arial,sans-serif;font-size:19px"><br></div></div></div><div style="font-family:arial,sans-serif;font-size:19px">For use in one-time-pad encryption or generating keys, I'd still want to XOR 14 of these 2-to-1 compressed bits together, and then run a cryptographic randomizer on the results. I don't think I use any hash function like SHA-256 which is not reversible, unless someone convinces me that it does not introduce correlations. Any permutation should be fine, such as encrypting the random data with block-chained AES-256 and a random key. Does that sound reasonable?</div>
</div></div>