[Cryptography] True RNG: elementary particle noise sensed with surprisingly simple electronics
Bill Cox
waywardgeek at gmail.com
Mon Sep 19 01:15:53 EDT 2016
As I said... there are _many_ points to debate on this thread... For the
original poster, I'll simply repeat that good quality thermal noise
extractors can make excellent TRNGs. Overcoming the problem of amplifying
the real noise rather than an attacker's signal is problematic, but
solvable. Now, on to some of those other points...
On Sun, Sep 18, 2016 at 4:25 PM, David Johnston <dj at deadhat.com> wrote:
> On 9/18/16 12:55 PM, sebastien riou wrote:
>
> "Shrinking entropy sources comes from (a) better circuits and (b) better
>> extractor theory"
>>
>> Could you point to some literature ?
>>
>> This paper
> http://www.deadhat.com/papers/uRNG.pdf is one we built, based on a
> circuit we developed and a paper I found.
> It was and may still be the smallest, most efficient secure RNG in terms
> of joules per bit and bits/s/W.
It is an excellent concept. I simulated a similar circuit, and am
convinced that this _can_ be what you say, but I also found that I could
trivially PWN entropy sources like this with what I call a "power rail
attack", where I simply run CPU intensive algorithms in parallel with the
TRNG attempting to generate random bits. Entropy sources like this are the
most power-rail sensitive TRNGs I have ever simulated (and very similar to
what Intel's CPUs use for the RAND instruction). Can you show me the
details of your design and real-life data showing resistance to this simple
attack? I remain skeptical.
As I said, thermal noise can be an excellent TRNG entropy source, but only
if you overcome an attacker's influence over the thermal noise signal.
This can and is done in well designed circuits all the time, including in
ring-oscillator circuits (and even better in Peter Allan's circuit). Your
entropy source is also a thermal-noise source. How do you overcome an
attacker's influence?
Please don't repeat what I heard from Intel: the design is inherently
resistant to power supply noise because of symmetry in the feedback
circuit: any noise impacting one side equally impacts the other. This was
mostly true in 0.35u silicon and larger, but this is _very_ wrong in
fin-fet land.
Bill
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20160918/ce93fa09/attachment.html>
More information about the cryptography
mailing list