[Cryptography] TRNG review: Arduino based TRNGs
Bill Cox
waywardgeek at gmail.com
Thu Jan 14 12:29:22 EST 2016
I did another test on the output from probably_random, which confirms my
suspicion that slightly less than one bit of entropy per byte is generated
by the timer.
One of my main concerns was that sequences of timer samples closer together
in time would be repeated more often, as the drift we see in the timer
could be due to lots of things other than thermal noise. When looking for
16 byte long repeated sequences, I found one repeated 49 times in a 256KiB
file of sequential 8-bit timer samples. I compared that to a 256KiB random
file of ASIC '0' and '1' (one bit of randomness per byte). It had a 16
byte sequence repeated 15 times, but none more than that.
To be safe using timer noise, we must use more than 8 sequential samples
per output byte. I think 64 might be OK, but more testing is required. If
someone ran a number of parts in various conditions, like running off a
battery in a Faraday cage, and running with strong injected periodic power
supply noise very close to the frequencey of the on-chip timer oscillator,
I might begin to feel better about using this 8-bit per second modified
version of probably_random for crypto.
As it is for now, all I can say is what the probably_random author said.
The modified version that generates only 8 bits per second is probably
random :) I do not recommend this hack for crypto without a lot more
testing.
Bill
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20160114/a6074dea/attachment.html>
More information about the cryptography
mailing list