[Cryptography] Entropy of a diode

Bill Cox waywardgeek at gmail.com
Tue Jul 26 16:36:34 EDT 2016 

Nice paper!  This is the first time I've seen a publicly reviewable
implementation of something similar to Intel's DRNG.  The Intel folks mean
well, but they are not allowed to answer technical questions about their
DRNG.  Can you answer some questions for me?

First, it looks like both your circuit and Intel's will have a strong bias,
possibly even output just 0's or just 1's, if the voltage is caused to
increase more rapidly than your feedback circuit can compensate for.  If I
write software meant to cause significant voltage shifts on the power rails
in a saw-tooth pattern, will I be able to control the output of your ES?
To simulate this, just add small voltages in series with the gates in your
inverters so there is a small mismatch.  At 14u, the mismatch will be worse
than ever unless specific steps are taken to remedy the problem.


Second, why bother with more than one ES?  AFAIK, there is no way to
combine independent sources to produce 100% perfect randomness, though we
can easily get whatever level of true randomness desired for any practical
purpose such as crypto.  Is this for improved speed?

Are you able to make devices available for testing?  Can we access the raw
ES output (unlike Intel's DRNG)?

I've simulated DRNG-like circuits, and I do believe they work, but while
they do consume less power per bit and deliver bits at a higher speed, and
with less die area than anything else I've seen, the flip side of that is
they seem to be more sensitive to external influences, mostly power supply
changes, than any other circuit I've simulated.  Intel has a patent they
don't use on adding voltage regulation to a TRNG to prevent power-rail
attacks, so the rest of us are not allowed to do that.  Without it, can you
make a single ES robust against attack?

BTW, I really do hope to be convinced that this circuit is solid and
trustworthy.  It has the best performance specs around.

Thanks,
Bill

On Sun, Jul 24, 2016 at 12:45 PM, David Johnston <dj at deadhat.com> wrote:

>
>
> On 7/21/16 8:06 AM, Tom Mitchell wrote:
>
>
> http://imotp.sourceforge.net/noise.pdf    <--- interesting.
>    From the above link : "Transistor junction noise provides a source of
> true random data that can
>    be sampled and stored on a computer. However, this sampled data does
> not contain 1 bit of entropy
>    per bit of stored data. It is therefore necessary to post process the
> data samples to distil the existing
>    entropy into a smaller number of high entropy bits."
>
>
> This isn't just a property of transistor noise. It's a property of all
> digital samplings of physical processes in this universe.
>
> If you are building a circuit to convert sampled noise into bits, you need
> to do entropy distillation/conditioning/extraction or whatever it's called
> this week. I prefer distillation since it gets at the essence of what's
> going on.
>
> Pinkas proved with a single source, no deterministic algorithm will get
> you to 100% entropy, as in Hinf(X)=1, or stated more directly,
> max_i(P(xi)=1) = 0.5.
>
> Dodis proves you can get close enough for crypto, but the guarantee is a
> computational bound, not full entropy.
>
> You can get there with multiple independent sources, but where do you find
> independent sources in this universe?
>
> For the practicing engineer, you can take advantage of multiple sources
> and accept that while you can't prove they are independent, you can assume
> they are independent enough that it's going to work. The benefits being
> that the multiple input extractors can be simpler with more clear proofs.
> We built one this way and as far as I know it's the world's most efficient
> RNG (in bits/s/W and bit/s/m^2). http://www.deadhat.com/papers/uRNG.pdf
>
> I think it is an issue for crypto systems that people built physical RNG
> noise sources without paying attention to extractor theory. The two are
> tightly coupled disciplines.
>
> DJ
>
>
>
>
> _______________________________________________
> The cryptography mailing list
> cryptography at metzdowd.com
> http://www.metzdowd.com/mailman/listinfo/cryptography
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20160726/68120c07/attachment.html>

More information about the cryptography mailing list