[Cryptography] A TRNG Review Per Day: TrueRNG
Bill Cox
waywardgeek at gmail.com
Wed Nov 12 12:45:48 EST 2014
On Tue, Nov 11, 2014 at 11:05 PM, Dave Horsfall <dave at horsfall.org> wrote:
> On Tue, 11 Nov 2014, Bill Cox wrote:
>
> > Partly in response to this insult to open-hardware, I built an an actual
> > open-hardware USB TRNG, and made it available on Tindie:
>
> Speaking of which, have you done any correlation tests with two of them
> side-by-side? That could be awfully embarrassing :-)
>
Of the Infinite Noise keys? I just did, since you mentioned the idea. It
was slightly tricky getting both going at once on my laptop. If there is
correlation in the raw output, I have not yet been able to find it. There
should be a small correlation. For one thing, they both output slightly
more 1's than 0's, which should be reported as a correlation. The 'ent'
program rates both outputs at 0.92 bits of entropy per bit, which happens
to be an over-estimate. I compute 0.876 bits of entropy per output bit
from both USB keys. Because of this, I do not put much stock in ent
entropy estimates.
When I compress each output with bzip2, and then compress the combined
files, the combined file size is 0.07% larger, so bzip2 found no useful
repeating patterns between the two outputs to enable it to compress any
better. Ent also reported 0.92 bits of entropy for the combined file, just
like each individually.
As for TrueRNG, I think it would be awesome to have access to both entropy
streams individually, before any whitening. I would expect some
correlation. Power supply noise, for example, is likely impact both
outputs in a similar manner, and while careful analog design can reduce
this effect, it cannot be completely eliminated.
However, a small correlation is OK. We can just subtract any measurable
correlation from the estimated entropy per source. The only thing that
would be bad, I suspect, is very long sequences of bits from both sources
that are equal, or very high correlation. That might indicate that some
external signal is overriding the zener noise in both entropy sources at
the same time, often enough to make the output predictable.
Bill
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20141112/fa1db8e1/attachment.html>
More information about the cryptography
mailing list