[Cryptography] The world's most secure TRNG

Mon Sep 29 00:28:05 EDT 2014

On Sun, Sep 28, 2014 at 7:27 AM, Bill Cox <waywardgeek at gmail.com> wrote:
> I have a quick question for you guys.  For a USB stick TRNG, would you
> rather pay ~$15 for a 100K-byte/second source of true entropy, or ~$30 for a
> 1M-byte/second source?
>
> I am currently designing a USB stick version of an INM to promote the
> architecture.  I plan to offer them for sale for what it costs me to build
> them, which in low volume I expect to be around $15 to $30 depending on the
> speed target.  Schematics, board layout, and BOM will be made public-domain.
> Current my target spec is 1MiB/second (mega-byte, not bit), over USB 2.0,
> but some of the high-performance parts are expensive (high-speed buffer,
> comparator, op-amp, and analog switch).  Just using a jelly-bean quad op-amp
> is super-cheap, but 20X slower.
>
> The jelly-bean op-amp based versions are available on github, with LTspice
> schematics and sims:
>
> https://github.com/waywardgeek/infnoise
>
> It's cheap, comparatively fast, and unlike other TRNGs, it's easy to get
> right.  It is 10X more fool-proof than any other TRNG I know of, simply
> because of it's near immunity to signal injection, power supply noise,
> cross-talk, etc.  No shielding is required, and the power supply can be
> noisy.  No care needs to be taken with cross-talk between traces.  Attackers
> are welcome to inject strong signals into this TRNG, which simply results in
> enhancing entropy, rather than subverting it.  It turns out that attackers
> make a nice source of entropy, and INMs add all sources, without letting any
> saturate the signal.
>
> Basically, TRNGs today generally amplify a noise source until it saturates
> to a 0 or 1.  Such systems are *very* hard to get right because they are so
> sensitive to external noise.  The right way to amplify the noise source is
> with modular multiplication rather than saturating multiplication. It is as
> simple as that.
>
> There is some analysis on that page, and test-code to verify that the level
> of entropy shifted out per bit, when the loop amplification is A, is:
>
>     E = log(A)/log(2)
>
> For example, when using a gain of sqrt(2), rather than 2, each bit shifted
> out contributes 1/2 bit to the entropy pool.  I've written code to test the
> entropy of INM output, and measurements on simulation data closely match
> this equation.
>
> At least for the most sensitive cryptography, I think we should stop using
> zener noise, oscillator jitter, latch power-up state, and other TRNG
> architectures that are highly sensitive to noise that could be controlled by
> an attacker, and which are too hard for regular guys to get right on a
> board.
>
> Bill
>
> _______________________________________________
> The cryptography mailing list
> cryptography at metzdowd.com
> http://www.metzdowd.com/mailman/listinfo/cryptography

Why are you wasting our time? Unless you can back your claims with
underlying theory, they remain claims. Making arbitrary assumptions
and then claiming that your simulations bear them out is not science;
at best, it's sloppiness.

Oh, and please learn English. Your prose is painful to read.

/ji