[Cryptography] TRNG review: Arduino based TRNGs

Bill Cox waywardgeek at gmail.com
Wed Jan 13 18:11:27 EST 2016 

On Wed, Jan 13, 2016 at 2:45 PM, Stephen Wood <smwood4 at gmail.com> wrote:

> > assuming we could use the PWM to force A0 to a value that keeps
> randomly flipping between 0x200 and 0x1FF, by using an RC filter on the PWM
> connected through a resistor to A0.
>
> Interesting. Wouldn't such a circuit still exhibit a bias and variance
> between units that required whitening? Could that be accomplished so that
> each Arduino/IoT-stick was able to generate random data without additional
> software?
>

AFAIK, there is no such thing as an entropy source that does not require
whitening.  They all produce biased/correlated bits.

You can whiten with simple software schemes, such as was done in
probably_random.  Rotating and XORing bits in from the entropy source
eventually will make your value indistinguishable from perfectly random.
My change above to probably_random left the rotate-XOR in place, and just
does 8X more of them per output byte.

However, CPRNGs do not care.  As long as you feed enough biased/correlated
bits into the CPRNG to seed it, you are in good shape.  My "infinite noise
multiplier" TRNG produces something like 0.85 bits of randomness per output
bit.  I feed 512 of them into /dev/random all at once, so you get > 400
bits of "entropy" all at once, where "entropy" is defined as
1/log2(surprise), where surprise is the probability of seeing the 512 bits
we saw, given a model for how likely it is.  The properties I like about
modular entropy multipliers are:

1) There is a simple model for estimating the entropy in a string of bits,
which is good for health monitoring.  Note that a string of bits
technically does not have entropy - only the channel does, but you can
_estimate_ the entropy.
2) It is fairly robust against power supply noise and other sources of
interference.
3) The thermal noise is ensured to be there, based on simple thermodynamics.

Ring oscillator based entropy sources are the most common kind to find in
an IC.  Just put 5 or maybe 7 inverters in a loop to create a ring
oscillator, and sample the output of one of them every once in a while to
see if it is a 0 or 1.  Jitter is caused by various factors, but thermal
noise is always there.  If you don't know the current state of the ring
oscillator (which inverter is in the process of switching), you don't know
whether to speed it up or slow it down to make the next output a 1 or 0.
However, one attack showed that common security ICs using ring oscillator
TRNGs can be controlled through power supply noise, since there is
inductance in the wiring in the ring oscillator, and this is enough to sync
the oscillator to an injected power supply oscillation.  Still, all that is
required to use them securely is good engineering.  Don't let an attacker
inject a large power supply oscillation :)

Bill
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20160113/09dbffa0/attachment.html>

More information about the cryptography mailing list