[Cryptography] TRNG review: Arduino based TRNGs

[Ron Garret]

On Jan 13, 2016, at 5:08 PM, Jonathan Thornburg <jthorn at astro.indiana.edu> wrote:

> On Wed, Jan 13, 2016 at 02:09:03PM -0800, Bill Cox wrote:
>> As for the minimum required hardware for an Arduino, I have not built it,
>> but I suspect we could do it with 1 cap and 2 resistors, using the 10-bit
>> ADC, assuming we could use the PWM to force A0 to a value that keeps
>> randomly flipping between 0x200 and 0x1FF, by using an RC filter on the PWM
>> connected through a resistor to A0.  [[...]]
> 
> How do we know that this value *randomly* flips, as opposed to (say)
> flipping in phase with residual 50/60Hz noise from the power supply?
> Or in phase with the temperature of that capacitor?  Or in phase with
> the temperature *difference* of those two resistors?  Or the temperature
> *difference* of two "balanced" components inside the ADC, which in turn
> correlates with the overall idle-time fraction (& hence CPU power dissipation)
> of the system?  Or the noise from switching some address-bus circuit-board
> trace which turns out to be periodic with the OS software-clock-interrupt
> frequency?  Any of these *might* be random-to-an-attacker... or they might
> not.
> 
> More generally, the problem with amplifying environmental noise is that
> the circuit is now exquisitely sensitive to other noise sources as well.
> I think you need some pretty serious power-supply regulation, RF filtering,
> and thermal control, not to mention excellent analog-electrical-engineering
> (e.g., the same sort of red/black signal separation used in TEMPEST hardware)
> if you want to have *confidence* that this is a true source of randomness.
> And (alas) I don't think that level of design & construction quality is
> going to be cheap.

IMHO the right approach is to not worry about the quality of your noise source and just use a whitener with a large margin of safety.  Feed 1000 raw 10-bit ADC readings into SHA512 and you’re almost certainly secure against any attack.  If you want to be super duper paranoid, run some basic sanity checks on the raw input, like make sure that the standard deviation of your samples is >>0.

rg