[Cryptography] The best TRNG architecture, comming soon?
jmg at funkthat.com
Tue Aug 27 00:08:45 EDT 2019
Jonathan Thornburg wrote this message on Mon, Aug 26, 2019 at 09:29 -0700:
> On Sun, Aug 25, 2019 at 06:14:11AM -0700, Bill Cox wrote:
> > The best, but patented IIRC, architecture for a TRNG is super simple.
> [[ring oscillator with an even number of inversions in the loop,
> and two NAND gates at opposite points in the loop]]
> > In real life, you probably want to add more inverters than this. This is
> > like a traditional ring oscillator, but with an *even* number of
> > inverters. You take two inverters at opposite ends of the ring and turn
> > them into NAND gates. The other inputs of both NAND gates are tied
> > together to make the ENABLE input. When ENABLE is low, OUT is low. When
> > ENABLE goes high, two edges in the ring oscillator chase each other.
> > Eventually, due to thermal or other noise, one edge catches the other, and
> > they annihilate each other. The oscillator stops oscillating at this point.
> Problem: what if the layout (& hence 0->1 and 1->0 propagation times)
> is such that (say) inverter #3 in the loop is a lot slower than the
> others *and* has asymmetric rise/fall? The result could well be that
> when the first edge reaches inverter #3, it's slow to propagate, so
> the second edge catches up with it right there (inverter #3) resulting
> in the "TRNG" outputting a stream of constant values. :(
This is part of the health check of your TRNG, and should catch this
and providing rng. Also, any TRNG needs to have a whitener after it..
I don't know of any TRNG that gives you raw data w/o whitening it,
because most [all] TRNG's are biased, even slightly, and for crypto,
you need an unbiased RNG source...
John-Mark Gurney Voice: +1 415 225 5579
"All that I will do, has been done, All that I have, has not."
More information about the cryptography