[Cryptography] Duh, why aren't most embedded TRNGs designed this way?

[John Denker]

On 4/25/21 2:23 PM, John-Mark Gurney wrote:

> Other question is why isn't SRAM used more often as a source of randomness?

Answer: Because that is a terrible idea.

Depending on details of /how/ it is powered up, the initial RAM
might be all zeros, or all ones, or the same pattern as last time,
or whatever.

In this business, the following concepts are helpful:
 -- deterministic, i.e. reliably deterministic
 -- random, i.e. reliably random
 -- squish

In particular: just because something is not reliably deterministic
does *not* make it reliably random; typically it's just squish. Just
because you looked at it once and didn't see any obvious pattern doesn't
mean there will never be a situation where a determined adversary can
figure out the pattern.

Unless it is reliably random, it is useless as a source of randomness
for serious crypto or for any other serious purpose. If you want it
to be useful, you need to come up with a /provable/ lower bound on
amount of randomness. In virtually all cases, that requires a granular
understanding of the underlying physics.

I have been trying to explain this since I was 18 years old. I had a
job that needed a source of randomness, and the customer emphatically
directed me to use the value in the accumulator at the time of the last
interrupt. I tried to explain that just because *he* couldn't predict
it doesn't mean it is reliably random.

In this case, it was an interrupt-driven system, and the only code that
wasn't an interrupt handler was the null job. So in fact the accumulator
wasn't even squish; it was a 100% predictable constant.