[Cryptography] Duh, why aren't most embedded TRNGs designed this way?

Peter Gutmann pgut001 at cs.auckland.ac.nz
Thu Apr 22 18:51:31 EDT 2021


Bill Cox <waywardgeek at gmail.com> writes:

>who doesn't know a thing about analog electronics

That's the problem with many of these RNG designs, change one tiny parameter
and suddenly you've got injection locking or something similar and your RNG
output still looks random but isn't.  This apparently was the reason why the
RNG in the Intel FWH was discontinued, ongoing process changes meant they had
to redo and re-test the design each time they changed the process.

The NSA's Fortezza design was actually pretty good in this regard, a secret
seed, a basic counter (a circuit simple enough that it's unlikely to fail),
and a hardware RNG all mixed via SHA-1 so that even if one or the other failed
you'd still get unpredictable random values.

Peter.



More information about the cryptography mailing list