[Cryptography] A TRNG review per day (week?): ATSHA204A has low entropy

[Bill Cox]

On Fri, Dec 5, 2014 at 7:00 AM, Bill Cox <waywardgeek at gmail.com> wrote:

> If I made no mistake (and I do make a lot), the "random" data from the
> Atmel ATSHA204A is highly predictable when you disable the seed update to
> EEPROM.  Until we understand the this predictability in their output data,
> I believe any "random" data from this part should not be used for crypto.
>
> I generated 32 bytes of "random" data repeatedly with the Hashlet, after
> disabling update_seed (I set the default to false in cli_commands.c).  I
> ran 1MiB of this generated data through a little bit predictor I wrote, and
> verified that each output bit has less than 0.5 bits of entropy.
>
> Bill
>

To check my results, feel free do download two data files I generated using
the Hashlet, containing the Atmel part:

https://github.com/waywardgeek/infnoise/tree/master/hashlet_data

The "one_go" file is what I get when asking for 100,000 bytes in one call
to random.  It has no simple correlations I see.  The randdata file was
generated by generating 32 bytes from the hashlet over and over, without
updating the EEPROM seed.  Bits in these 32 bytes are highly predictible,
based on the previous several bits.

To measure this predictability, I ran it through the usual program "ent",
and also a program I wrote specifically to predict the next bit based on
the previous N bits.  Ent only detects a 0.1% level of non-randomness.
However, the predictor program I wrote can compress this file by more than
2X.

The predictor program is in infnoise/software/entcheck.c.  You can convert
the hex output from the hashlet program to binary using hex2bin.

I am still tuning the predictor, but if I haven't goofed up, I seem to be
able to compress the "random" data from the Atmel part by over 10X.

Bill
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20141205/082ac640/attachment.html>