[Cryptography] The world's most secure TRNG

Arnold Reinhold agr at me.com
Tue Sep 30 18:06:23 EDT 2014 

On Mon, 29 Sep 2014 21:56 ianG <iang at iang.org> wrote:
> On 29/09/2014 05:15 am, Bill Cox wrote:
>> One more question, though I think I know the answer, based on "cheap" is
>> the #1 goal:
>> 
>> I'm using the cheapest FPGA available: a $2 Lattice ICE part with 384
>> LUT/Flops.  This is more than enough for interfacing to the USB fifo,
>> but not enough to whiten the signal with cryptographic secrity.  I know
>> I need to provide the raw signal without whitening - that can be done in
>> software.  However, is there any value in also incorporating a Keccak
>> sponge so that whitening can be done on the USB stick?  This would
>> probably require a $4 or $5 FPGA.
> 
> 
> This is where it gets messy because there are two answers in opposition.
> 
> If we (the buyer/user) are serious enough about using a hardware part
> then that means we don't trust other parts.  Which also means we don't
> trust your part.  So we have to construct a mixer/PRNG that takes inputs
> from a number of collectors.  Your collector being one of them, thanks
> muchly, and it should be fully uncorrelated with the others.
> 
> Then, because we mix and then plug the result into a PRNG, which
> typically is guaranteed to have a whitened output, there is no need to
> whiten your collector output.

Agreed.

> 
> However, because most devs won't understand the above argument, if you
> actually supply an unwhitened RNG then geeks will look at it and decide
> that because they see certain biases in it then it must be broken!  And
> broken they will call it.  And broken will be your sales.
> 
> So from a marketing point of view you should put a whitener on the part.

I disagree here. It’s time we stopped second guessing people and assume other engineers will do their job. Your device should come with a spec sheet characterizing how it deviates from perfectly random, and if possible include some test software intended to distinguish it from a fake device with a PRNG. 

As i see it, the real need for an inexpensive, high quality TRNG is for disk-less embedded systems, e.g. the Internet of Things. There even $2 can be prohibitively expensive. On the other hand an I2S bus interface is all that is needed, which could let you use a cheaper part. The major IoT use case is generating a unique public/private key pair at first startup, when other entropy sources are not available. But the software for generating public/private key pairs had better be written by someone who knows what they are doing and expecting them to whiten your entropy first is not unreasonable.  

Arnold Reinhold

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140930/f82e8b6b/attachment.html>

More information about the cryptography mailing list