<div dir="ltr">Nice paper! This is the first time I've seen a publicly reviewable implementation of something similar to Intel's DRNG. The Intel folks mean well, but they are not allowed to answer technical questions about their DRNG. Can you answer some questions for me?<div><br></div><div>First, it looks like both your circuit and Intel's will have a strong bias, possibly even output just 0's or just 1's, if the voltage is caused to increase more rapidly than your feedback circuit can compensate for. If I write software meant to cause significant voltage shifts on the power rails in a saw-tooth pattern, will I be able to control the output of your ES? To simulate this, just add small voltages in series with the gates in your inverters so there is a small mismatch. At 14u, the mismatch will be worse than ever unless specific steps are taken to remedy the problem.</div><div><br></div><div><br></div><div>Second, why bother with more than one ES? AFAIK, there is no way to combine independent sources to produce 100% perfect randomness, though we can easily get whatever level of true randomness desired for any practical purpose such as crypto. Is this for improved speed?</div><div><br></div><div>Are you able to make devices available for testing? Can we access the raw ES output (unlike Intel's DRNG)?</div><div><br></div><div>I've simulated DRNG-like circuits, and I do believe they work, but while they do consume less power per bit and deliver bits at a higher speed, and with less die area than anything else I've seen, the flip side of that is they seem to be more sensitive to external influences, mostly power supply changes, than any other circuit I've simulated. Intel has a patent they don't use on adding voltage regulation to a TRNG to prevent power-rail attacks, so the rest of us are not allowed to do that. Without it, can you make a single ES robust against attack?</div><div><br></div><div>BTW, I really do hope to be convinced that this circuit is solid and trustworthy. It has the best performance specs around.</div><div><br></div><div>Thanks,</div><div>Bill</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Sun, Jul 24, 2016 at 12:45 PM, David Johnston <span dir="ltr"><<a href="mailto:dj@deadhat.com" target="_blank">dj@deadhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"><span class="">
<p><br>
</p>
<br>
<div>On 7/21/16 8:06 AM, Tom Mitchell wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote"><br>
<div><a href="http://imotp.sourceforge.net/noise.pdf" target="_blank">http://imotp.sourceforge.net/noise.pdf</a>
<--- interesting.</div>
<div> From the above link : "Transistor junction noise
provides a source of true random data that can </div>
<div> be sampled and
stored on a computer. However, this sampled data does not
contain 1 bit of entropy </div>
<div> per bit
of stored data. It is therefore necessary to post process
the data samples to distil the
existing </div>
<div> entropy into a smaller number of high entropy bits."</div>
<br>
</div>
</div>
</div>
</blockquote></span>
This isn't just a property of transistor noise. It's a property of
all digital samplings of physical processes in this universe.<br>
<br>
If you are building a circuit to convert sampled noise into bits,
you need to do entropy distillation/conditioning/extraction or
whatever it's called this week. I prefer distillation since it gets
at the essence of what's going on.<br>
<br>
Pinkas proved with a single source, no deterministic algorithm will
get you to 100% entropy, as in Hinf(X)=1, or stated more directly,
max_i(P(xi)=1) = 0.5.<br>
<br>
Dodis proves you can get close enough for crypto, but the guarantee
is a computational bound, not full entropy.<br>
<br>
You can get there with multiple independent sources, but where do
you find independent sources in this universe?<br>
<br>
For the practicing engineer, you can take advantage of multiple
sources and accept that while you can't prove they are independent,
you can assume they are independent enough that it's going to work.
The benefits being that the multiple input extractors can be simpler
with more clear proofs. We built one this way and as far as I know
it's the world's most efficient RNG (in bits/s/W and bit/s/m^2).
<a href="http://www.deadhat.com/papers/uRNG.pdf" target="_blank">http://www.deadhat.com/papers/uRNG.pdf</a><br>
<br>
I think it is an issue for crypto systems that people built physical
RNG noise sources without paying attention to extractor theory. The
two are tightly coupled disciplines.<span class="HOEnZb"><font color="#888888"><br>
<br>
DJ<br>
<br>
<br>
<br>
</font></span></div>
<br>_______________________________________________<br>
The cryptography mailing list<br>
<a href="mailto:cryptography@metzdowd.com">cryptography@metzdowd.com</a><br>
<a href="http://www.metzdowd.com/mailman/listinfo/cryptography" rel="noreferrer" target="_blank">http://www.metzdowd.com/mailman/listinfo/cryptography</a><br></blockquote></div><br></div>