[Cryptography] A TRNG review per day (week?): ATSH204A

Clemens Ladisch clemens at ladisch.de
Sun Nov 9 15:27:17 EST 2014

Bill Cox wrote:
> "Certain randomness extractors need a random seed."
> Huh?  Which randomness extractors require a random seed?

Wikipedia defines a randomness extractor as
| a function, which being applied to output from a weakly random entropy
| source, together with a short, uniformly random seed, generates
| a highly random output that appears independent from the source and
| uniformly distributed.

Quite a few of the theoretical extractors proposed by researchers need
such a seed.  Which, of course, makes them unsuitable for pratical

As far as this chip is concerned, I think it is more likely that the
seed is used for a PRNG, i.e., it guarantees that the output looks
random even if the designers cannot guarantee a lower bound of the
TRNG's entropy.

> I find it very difficult to believe this device has a "high quality TRNG"
> as Atmel claims.  If it did, there would be no impact on the security of
> the system when the "seed update" is disabled.  There would be no need for
> the seed at all.

It's possible that the seed is just a protection against failure of the
TRNG; this would be a feature.  (But then they should have told us that.)


More information about the cryptography mailing list