[Cryptography] The world's most secure TRNG

[ianG]

On 29/09/2014 05:15 am, Bill Cox wrote:
> One more question, though I think I know the answer, based on "cheap" is
> the #1 goal:
> 
> I'm using the cheapest FPGA available: a $2 Lattice ICE part with 384
> LUT/Flops.  This is more than enough for interfacing to the USB fifo,
> but not enough to whiten the signal with cryptographic secrity.  I know
> I need to provide the raw signal without whitening - that can be done in
> software.  However, is there any value in also incorporating a Keccak
> sponge so that whitening can be done on the USB stick?  This would
> probably require a $4 or $5 FPGA.


This is where it gets messy because there are two answers in opposition.

If we (the buyer/user) are serious enough about using a hardware part
then that means we don't trust other parts.  Which also means we don't
trust your part.  So we have to construct a mixer/PRNG that takes inputs
from a number of collectors.  Your collector being one of them, thanks
muchly, and it should be fully uncorrelated with the others.

Then, because we mix and then plug the result into a PRNG, which
typically is guaranteed to have a whitened output, there is no need to
whiten your collector output.

However, because most devs won't understand the above argument, if you
actually supply an unwhitened RNG then geeks will look at it and decide
that because they see certain biases in it then it must be broken!  And
broken they will call it.  And broken will be your sales.

So from a marketing point of view you should put a whitener on the part.

That said, I'd not go for anything sophisticated.  Keccak is way too
much especially if it breaks your part budget.  What can you do with
your $2 part?



iang