[Cryptography] TRNG review: Arduino based TRNGs

Ron Garret ron at flownet.com
Sat Jan 16 14:10:26 EST 2016 

On Jan 15, 2016, at 5:49 PM, Bill Cox <waywardgeek at gmail.com> wrote:

> On Fri, Jan 15, 2016 at 5:23 PM, Ron Garret <ron at flownet.com> wrote:
> In fact, you can probably get pretty reasonable results with no circuitry at all and just letting the ADC pin float (I’ve tried this on a Teensy3 and it actually works quite well).
> 
> That's probably fine for seeding PRNGs for games.  It may have worked well in that you saw no pattern, but 1) there could have been one you did not see, and 2) any actual randomness from pin A0 might go away under different conditions, such as running on a battery inside a metal box.

Yes, of course.  I would not recommend running a floating ADC for anything really mission critical.  But even for mission-critical keys you don’t have to work very hard.  Generating noise is easy.  Generating high quality noise may be hard, but that’s my whole point: you don’t need high quality noise in order to generate perfectly secure keys in a reasonable amount of time.

> The data from the probably_random project seems to show that even with the post-whitening, there isn't much randomness there.

I can’t speak to the Arduino.  Maybe the Arduino really does suck.  An 8-bit ADC might really be fairly immune to environmental noise.  But the Teensy3 (retail price $20) has a 16-bit ADC that can operate at at 20KHz.  So in 100ms I can generate 32,000 raw bits.  If I boil that down to a 256-bit key I need less than 1% entropy to be perfectly secure.  Also, with a 16-bit ADC you would have to work incredibly hard to keep noise out of the system.  Here’s an experiment someone did on a Teensy3.2, which has two ADCs:

https://forum.pjrc.com/threads/25532-ADC-library-update-now-with-support-for-Teensy-3-1
https://forum.pjrc.com/attachment.php?attachmentid=1794&d=1396800719

They tied the two ADCs together, so they are seeing the same voltage.  There’s enough noise just in the ADC system itself that the mean error between the two readings is 0.02%.  That’s 2-3 bits of entropy per sample.  That’s enough to generate a 256-bit key in 10ms.  And that’s what you get when you’re not even trying to introduce noise (indeed, when you’re trying to keep the noise out!)

> My first guess is that you're measuring power supply noise.

That’s possible, though by the time the AC goes through the wall transformer, the laptop battery, and the USB port, it’s probably pretty clean.  But what difference does it make where the noise is coming from as long as there’s actually some noise?

> Can you try generating a bunch of floating A0 samples when running on a battery, with good bypass caps, in a nice shielded environment like a metal box?

You know, if you poke yourself in the eye hard enough, it will hurt.  The solution to this problem is not, it seems to me, to wear safety googles all the time, but rather to simply avoid poking yourself in the eye.

Yes, if you go to extraordinary efforts to shield your system from all external sources of noise, you might be able to get to the point where your ADC doesn’t measure any noise (though if you have a 16-bit ADC even that is doubtful).  But why on earth would you want to do that?

rg

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20160116/5d95f06b/attachment.html>

More information about the cryptography mailing list