[Cryptography] The best TRNG architecture, comming soon?

John-Mark Gurney jmg at funkthat.com
Tue Aug 27 00:08:45 EDT 2019


Jonathan Thornburg wrote this message on Mon, Aug 26, 2019 at 09:29 -0700:
> On Sun, Aug 25, 2019 at 06:14:11AM -0700, Bill Cox wrote:
> > The best, but patented IIRC, architecture for a TRNG is super simple.
> > 
> [[ring oscillator with an even number of inversions in the loop,
> and two NAND gates at opposite points in the loop]]
> > 
> > In real life, you probably want to add more inverters than this.  This is
> > like a traditional ring oscillator, but with an *even* number of
> > inverters.  You take two inverters at opposite ends of the ring and turn
> > them into NAND gates.  The other inputs of both NAND gates are tied
> > together to make the ENABLE input.  When ENABLE is low, OUT is low.  When
> > ENABLE goes high, two edges in the ring oscillator chase each other.
> > Eventually, due to thermal or other noise, one edge catches the other, and
> > they annihilate each other.  The oscillator stops oscillating at this point.
> 
> Problem: what if the layout (& hence 0->1 and 1->0 propagation times)
> is such that (say) inverter #3 in the loop is a lot slower than the
> others *and* has asymmetric rise/fall?  The result could well be that
> when the first edge reaches inverter #3, it's slow to propagate, so
> the second edge catches up with it right there (inverter #3) resulting
> in the "TRNG" outputting a stream of constant values.  :(

This is part of the health check of your TRNG, and should catch this
and providing rng.  Also, any TRNG needs to have a whitener after it..
I don't know of any TRNG that gives you raw data w/o whitening it,
because most [all] TRNG's are biased, even slightly, and for crypto,
you need an unbiased RNG source...

-- 
  John-Mark Gurney				Voice: +1 415 225 5579

     "All that I will do, has been done, All that I have, has not."


More information about the cryptography mailing list