[Cryptography] Duh, why aren't most embedded TRNGs designed this way?
John-Mark Gurney
jmg at funkthat.com
Mon Apr 26 17:59:56 EDT 2021
John Denker wrote this message on Mon, Apr 26, 2021 at 13:18 -0700:
> On 4/25/21 2:23 PM, John-Mark Gurney wrote:
>
> > Other question is why isn't SRAM used more often as a source of randomness?
>
> Answer: Because that is a terrible idea.
>
> Depending on details of /how/ it is powered up, the initial RAM
> might be all zeros, or all ones, or the same pattern as last time,
> or whatever.
>
> In this business, the following concepts are helpful:
> -- deterministic, i.e. reliably deterministic
> -- random, i.e. reliably random
> -- squish
>
> In particular: just because something is not reliably deterministic
> does *not* make it reliably random; typically it's just squish. Just
> because you looked at it once and didn't see any obvious pattern doesn't
> mean there will never be a situation where a determined adversary can
> figure out the pattern.
This applies to ALL TRNG sources. You cannot use a TRNG if you cannot
understand and model the underlying physics to decide if it's random
or not. Like you said, just because you measured the source, and it
appears to meet the necessary "entropy" requirements, doesn't mean that
it will be reliably random.
Have you read the papers that studied SRAM sources? From your reply
it sounds like you have not. The reason why SRAM bits may start up
in an indeterminate state is well known and studied, and in some cases
SRAM is known to not be reliably indeterminate. Does this mean that
ALL SRAM sournces are reliable indeterminate? No, it does not.
--
John-Mark Gurney Voice: +1 415 225 5579
"All that I will do, has been done, All that I have, has not."
More information about the cryptography
mailing list