[Cryptography] Photon beam splitters for "true" random number generation ?

Theodore Ts'o tytso at mit.edu
Tue Dec 29 11:54:36 EST 2015

On Tue, Dec 29, 2015 at 10:17:37AM -0500, Jerry Leichter wrote:
> I was instead raising the question of environmentally induced
> faults.  Could playing around with the power, or heating or cooling,
> or microwave irradiation, encourage the particular "doesn't erase
> but can still be read" behavior?

John, can you expand how you think this behavior is *very* likely, and
how it can be induced?

Flash cells essentially hold a charge surrounded by a dielectric
material; it is programmed by applying a large enough voltage
potential to overcome the dieletric meterial, and it is read by
reading the voltage level in the charge bit.  This is why flash cells
have a limited number of write cycles.  As you write to flash by
applying a large voltage potential to force charge through the
dieletric material, this degrades the material so that the charge can
no longer be reliably held.

This is why TLC flash has much lower write endurance than SLC flash.
With SLC flash, you are storing a single bit of information per flash
cell, so the flash controller has to distinguish between '0' and '1'.
With TLC flash, you are storing three bits of information per flash
cell, which means the flash controller has to distinguish between
eight possible voltage levels.  Since over time, the charge will
dissipate due to flaws in the dieletric, and this increases as the
temperature increases, as the feature size of the flash becomes
smaller, and as the number of write cycles increases, it follows that
TLC flash is much less durable than SLC flash --- to the point that
flash manufacturers are starting to use ECC and "smart" flash cells
that try to take into account time elapsed and flash aging make a
better chance of predicting how the voltage curves of the charge will
change over time.

(Flash failure is defined by the probability reaching some threshold
value after a threshold amount of time when the cell is held at a
specific temperature; and SSD manufacturers refuse to publicize what
test values they are using when they make write endurace claims with
their products.  This is why I don't consider flash appropriate for
long-term storage of precious data.  Flash is only useful as cache as
far as I'm concerned; data on my computers isn't really safely stored
until it is backed up on spinning platters, or replicated on git
servers all around the world.  :-)

All of this being said, most ways of influencing flash externally will
more likely decrease the flash lifetime, so the data isn't reliably
stored for as long of a time.  Also, because reads are much faster
than time to program a flash cell, most flash controllers will do a
trial read after a write.  So if you can somehow cause a flash cell to
be "stuck" at a certain voltage level, the flash controller will
notice when it tries to program a new value.

If you can hack the flash controller, of course then you can do
anything you want.  This is the same problem as alleged ability of the
NSA to compromise the controller of hard drives and can thus introduce
malware into the controller hardware.  But in that case, you're not
really hacking the flash cell, you're hacking the controller, and
that's a different unsolved problem.  (Since it requires embedded
programmers to be competent at writing digital signature checks to
protect their firmware upgrade process, and controller programs are
generally considered trade secrets so it's very hard to audit it, it
really is going to be a very hard problem to solve indeed.)


						- Ted

More information about the cryptography mailing list