[Cryptography] The best TRNG architecture, comming soon?
cryptography at t.lastninja.net
Mon Aug 26 05:20:02 EDT 2019
On Mon, 26 Aug 2019, at 3:03 PM, Bill Cox wrote:
> Ring oscillator based TRNGs suck, hugely. They are the reason we have so
> many RSA keys out there with one common factor. They are hard to get right
> because no one knows exactly how much entropy is coming from them, and
> everyone wants to boot fast, so we read them too soon.
I don’t think that’s actually the reason we have shared factors among many keys
- it’s usually incorrect use of the system RNG, sometimes due to stupid
implementation, such as an implementor fixing one factor because stupidity, or
the usual culprit being the boot-time entropy hole in Linux:
https://factorable.net has excellent real world research on this.
As for any variant of ring oscillator circuits: I recall that you want to model
the circuit as providing a non-uniform distribution of entropy estimate in the
worst conditions (I guess when heated in an oven?) and select the min-entropy
of the distribution. I don't know much about these circuits though.
More information about the cryptography