[Cryptography] An alternative electro-mechanical entropy source (was 'We cannot trust' Intel and Via's chip-based crypto...)

[Arnold Reinhold]

On 10 Dec 2013 16:26, Bill Cox wrote:

> ... I took a good 
> look at Intel's hardware random number generator source. There's a paper 
> analyzing it here:
> 
> http://www.cryptography.com/public/pdf/Intel_TRNG_Report_20120312.pdf
> 
> The basic idea is that back-to-back inverters, when powered on, flip one 
> way or the other randomly, sort of like DRAM memory when our computer's 
> power on.  By powering on a single pair of back-to-back inverters over 
> and over, they can generate a random bit per cycle, at about 3 
> Giga-bits/second, which is amazing! ...

My problem with the Intel design is that there is no way to audit it.  The paper Bill cited points out that there is no access to the Intel entropy generator from software in production parts. All collected entropy is processed on-chip by a complex testing and whitening circuit that includes an AES-based RNG. There is plenty of room here to hide a way to restrict the entropy of generated bits in chips made for selected customers, or via some hidden command. Such a cooked chip would produce output indistinguishable from true random bits.

The Intel design completely misses the mark, in my opinion. For cryptographic security we don't need gigabits/second, we just need a couple of hundred bits of entropy we can trust to seed a strong deterministic RNG. And more than one source of entropy, preferably of different design, should be required for any system generating cryptographic keys. 

Here is an idea I have been playing with to provide a slow but auditable source of entropy.

I propose combining an accelerometer chip to collect entropy with a vibration motor of the type used in cell phones. For those not familiar with the later, they consist of a small motor with an unbalanced weight on the armature. Here is a drawing of one http://www.puiaudio.com/pdf/MV4020-13HL-LWC38-R.pdf.  Sealed coin types are also available, e.g. http://www.adafruit.com/products/1201. Accelerometer chips are available with a two-wire I2S bus for reporting data and are easy to interface to simple microprocessors. Both the accelerometer chips and the vibration motors are made in huge quantities and cost under a dollar in quantity.  They can be audited separately. The items could be mounted on the mother board, daughter board or a USB dongle.  

In operation, a few seconds of accelerometer readings would be collected with the motor cycling on and off. The readings would be analyzed in software for acceptable statistical properties and then hashed to provide the the random bits. The process could be repeated at intervals to stir the RNG state.

There may well be enough mechanical uncertainty and measurement noise just in combining these two elements, but for extra credit, one could attach to either item or to the circuit board on which they are mounted a "rattle" consisting of one or two loose objects in a small box, perhaps made of clear plastic or with a clear window for visual inspection. The objects might be a ball bearing or a small pebble of gravel, say, quartz, or one of each. A pebble would provide a physically un-cloneable element. The rattle would be completely mechanical, but could be designed with solderable leads for automatic part placement machines, or it could be epoxied in place. It would be possible to immobilize the rattle with a magnet if ferrous ball bearings are used, or in a centrifuge. This could be useful for testing and it should be possible for software to distinguish the proper operation of the rattle statistically.

This entropy generator would be cheap, simple and low-tech, with little room to hide back doors. 


Arnold Reinhold


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20131212/c7130e40/attachment.html>