[Cryptography] The world's most secure TRNG

Bill Cox waywardgeek at gmail.com
Tue Oct 21 01:05:21 EDT 2014


Top posting just the new news, with responses to your comments below.

The breadboard works!  The estimated entropy coming out of the Infinite
Noise Multiplier is very close to the predicted amount.  I measure it by
recording outcomes given the previous 16 bits many times until I have a
reasonable guess for the probability of the next bit being a 1 or 0.  I use
that to estimate the probability of a long string of bits occurring.  The
entropy is estimated as log2(1/P(S)), where P(S) is the probability
estimate of the string of bits S occurring.  This estimated entropy closely
matches the expected log2(K), where K is the gain in the op-amp circuit.  I
tested this for 3 different gains, and they all matched within 5% of the
theoretical value.  I added a picture of the breadboard here:

https://github.com/waywardgeek/infnoise

I also wrote some code to find how soon we see a repeated string N bits
long.  The data from the INM has repeated strings of size N consistent with
the estimated entropy.  This proves that there is no scary cycling of the
same outputs over and over, at least with a period less than the expected
length before seeing an N-bit repeated string (20,000+ in my tests for 34
bits).

On Thu, Oct 9, 2014 at 2:12 AM, ianG <iang at iang.org> wrote:

> On 9/10/2014 01:59 am, Bill Cox wrote:
> > On Wed, Oct 8, 2014 at 7:00 PM, Dave Horsfall <dave at horsfall.org
> > <mailto:dave at horsfall.org>> wrote:
> >
> >     It's possible that I may have missed this (the list seems to have
> spiked
> >     lately), but how would the device present itself to the host?  A
> serial
> >     stream of random bits (like a terminal or a keyboard), or some sort
> of a
> >     structure with command and control etc?
> >
> >     -- Dave
> >     _______________________________________________
> >     The cryptography mailing list
> >     cryptography at metzdowd.com <mailto:cryptography at metzdowd.com>
> >     http://www.metzdowd.com/mailman/listinfo/cryptography
> >
> >
> > No command/control.  In fact, I feel a lot better not having a
> > microcontroller on there that could transmit nasty malware when being
> > plugged into a new system, or which could be reprogrammed to emit
> > non-random data.
>
>
> My guess is that if you don't have an easy defined interface (file? tty)
> then it won't work in the marketplace.
>

For now, I've got an application that reads from the USB using the existing
serial interface driver that comes with the FT240X USB interface chip I'm
using.

It normally whitens by reading 2X the amount of entropy requested and
filtering it through the 1600 bit version of the Keccak (SHA3) sponge.  It
just writes the binary data to stdout for now, but it's simple to make that
a file socket or whatever.  There's a --raw flag which dumps raw data from
the noise source without whitening.  I have been doing some fun health
checking stuff with that.  A --debug flag causes it to print estimated
entropy, gain in the op-amp, and a couple of other stats.


> In terms of the nasty malware, what would be nice would be a firewall.
> A device that has male & female and sits there and watches for naughty
> traffic.  If this came with a good RN source as well, I'd reckon it
> would be a hit.
>

Some sort of automated Internet traffic cop might be a hit.  If it needs a
source of random data, it's about $1 in extra components to an embedded
system.


> ...
> > How important is the proper USB connector vs a raw connector with no
> > housing like the DigiSpark?  Do we really feel we need to wrap this
> > thing in metal to keep it from radiating secret bits?
>
>
> Yes, otherwise it will be noisy :)  You don't want it interfering with
> random gear.
>
> You could probably get away without in a prototype device and encourage
> someone to do some testing...
>

I added a real USB connector, and have nickle EMI paint I can use on the
inside of the USB key housing. Hopefully that will keep it quiet.


> > I figure if we
> > feed it into a whitener, an attacker would have to know *every* bit to
> > know the state of the whitener.  That seems like a tall order for an
> > attacker trying to read bits from EMI.
>
>
> Oh, no :)  In the crypto world we deal with bit-rated paranoia.  Even
> one bit leaked to an attacker will earn the device the BROKEN award.
>

True enough.  I'm shielding it with conductive paint on the inside of the
plastic housing.  I am tempted to leave the housing un-glued so that users
can take it apart if they like and poke at the internals.   I saw at least
one TRNG company that encases their electronics in potting material.
That's no better than Intel asking us to just trust that their TRNG circuit
is secure.  If we can't open it up and see for ourselves, why should we
trust the manufacturer?

Bill
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20141021/1a2ecd66/attachment.html>


More information about the cryptography mailing list