using SRAM state as a source of randomness

James A. Donald jamesd at
Mon Sep 17 19:13:35 EDT 2007

Netsecurity wrote:
 > Back in the late 60's I was playing with audio and a
 > magazine I subscribed to had a circuit for creating
 > warble tones for standing wave and room resonance
 > testing.
 > The relevance of this is that they were using a
 > "random" noise generating chip that they acknowledged
 > was not random enough for good measurements. The fix
 > suggested was to parallel a number, six as I recall,
 > to improve the randomness by mixing the signals to
 > achieve better randomness. I don't recall the math but
 > the approach improved the randomness by more than an
 > order of magnitude.

If one such chip was so non random that the ear could
hear the difference from white noise or pink noise, it
is most unlikely that six together would be random
enough for cryptographic purposes.

As has often been stated on this list, the noise source
must be understood, so that we have physical theory as
to where the noise is coming from, and also tested to
make sure it is functioning in accord with theory.  No
one really understands where zener diode noise is coming

True entropy in equals true entropy out.   You need to
be able to determine the true entropy in from physical
theory, and be able to test the hardware to check it is
working in accordance with theory.

To know that a true random number generator is
cryptographically secure, you need knowledge of the
underlying hardware, knowledge that shows it derives its
randomness from the fundamental randomness of the
universe, either thermal entropy, (Johnson noise) or
quantum indeterminacy (shot noise), knowledge that
enables us to determine the good functioning of the
underlying noise amplification circuits from the
character of the output.

A good circuit would simply directly amplify the
underlying noise source, so that the entropy of the
output would be somewhat less than one entropy bit per
signal bit, thus ensuring that any malfunction of the
underlying circuit would be obvious, and then pass that
output into a hash generator, which emits hash that
outputs less bits than the true entropy.

Using SRAM as a source of either randomness or unique
device ID is fragile.  It might well work, but one
cannot know with any great confidence that it is going
to work.  It might work fine for every device for a
year, and then next batch arrives, and it completely
fails.  Worse still, it might work fine on the test
batch, and then on the production run fail in ways that
are subtle and not immediately obvious.

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list