[Cryptography] True RNG: elementary particle noise sensed with surprisingly simple electronics

Thierry Moreau thierry.moreau at connotech.com
Fri Sep 16 09:55:04 EDT 2016


On 16/09/16 02:54 AM, Ray Dillinger wrote:
>
>
>
> One small-ish problem with electromagnetic noise is that it can
> also be described using the word "radio."  If somebody points a
> microwave antenna (or for that matter a tightly-focused transmitter)
> at the device, would they be able to predict what "random" bits
> it produces?
>
> Still, whatever can be done with radio, they remain unpredictable
> to anyone who isn't doing an expensive attack that requires human
> time and attention (and risk) to monitor a single target.  That's
> valuable.
>

I don't understand this last sentence. Valuable to who?

> ***
>
> I think that, rather than building a complex device that
> people then have to trust, we should be building very
> simple devices whose entire functionality (and therefore
> trustworthiness) can be determined by visual inspection.
>

A device that start very simple (e.g. resistor current noise) turns not 
so simple when design details are turned into attack vectors in the 
discussion. In practice, which type of device is promising in the above 
perspective?

> Start with an RFC or a standard, that specifies a wire-
> level serial interface for devices that generate "random"
> bits.

Easier said than done. Such a specification document would need a 
definition of "random" ...

> And the wire-level protocol should be so simple that it
> requires nothing on the board to be capable of running any
> code and is easily within reach of a hobbyist to build.
> That is, IMO, an IMPORTANT property.

That *is* the strategy in my original post. In here, "random" means the 
24 bits samples extracted from the analog-to-digital conversion circuit 
with whatever randomness is present. The wire-level protocol is a USB 
serial port emulation from which the host simply reads data. 
Alternately, the digital I/O pins could be directly connected to the PC 
parallel port, but that is not fashionable these days (hence not 
"running any code" is not achievable in practice).

> If a paranoid is
> supposed to trust the device, then either it will be
> because s/he built it him/herself, or because an electronics
> buff is able to tell from visual inspection of the components
> alone everything that the device does.  Code is not evident
> to visual inspection of the components and therefore must
> not be a requirement for any part of the device.
>

A problem I found when attempting to reduce the system integrity (visual 
or whatever) inspection property is the following one: once the system 
integrity finally rests on a very simple and small system component 
(e.g. the device you suggest), the inspection either turns into an act 
of faith, or requires sophisticated tools (not very practical). Indeed 
someone pointed at the attack vector of a high quality noise-free 
resistor hidden in the package of a cheap noisy resistor.

> Then you can publish schematics for a simple device
> that meets that protocol and produces unpredictable bits,
> and a dozen or so people can write device drivers for
> their favorite operating systems that deal with any
> device meeting that dead simple serial protocol.
>

Here you are asking for interoperability between HW and SW based on a 
specification. The definition of "random" (now "unpredictable bits") is 
challenging: beyond the O/S device driver, there is a randomness 
extractor software component that depends on statistical distribution 
hypotheses that the "simple device" would need to match.

> Somebody else can publish schematics for a *different*
> simple device implementing the same standard wire protocol
> but producing unpredictable bits in a different way,
> and the same device drivers would work for it.

Again, the HW / SW interoperability dream.


May I stress the main point in my original post: the resistor "current 
noise" would be a good source of true randomness when sampled by the 
same electronics as in a digital weight scale. Details can be worked out 
given that a 24 bits analog to digital conversion appears as the typical 
essential component.

   - Thierry Moreau


More information about the cryptography mailing list