[Cryptography] Duh, why aren't most embedded TRNGs designed this way?

[Ron Garret]

On Apr 26, 2021, at 2:59 PM, John-Mark Gurney <jmg at funkthat.com> wrote:

> This applies to ALL TRNG sources.  You cannot use a TRNG if you cannot
> understand and model the underlying physics to decide if it's random
> or not.

This is the wrong way to think about it.  First, randomness is not binary.  A system is not “random” or “not random”.  The right way to think about it is: how many bits of entropy does a system reliably produce per unit time.

Second, entropy can only be measured with respect to a prospective adversary’s knowledge.  The best entropy source is useless if your adversary can read the output (e.g. via a tempest attack).

The physical details of your RNG hardly matter at all.  The thing that matters is *having a reliable estimate of the lower bound of the entropy produced by your system with respect to prospective adversaries*.  If you have that, you win with the following simple procedure: collect 10x or 100x more entropy than you think you need for a given security level, then use that to seed a good PRNG.  If you don’t have that, you lose no matter how fancy your hardware is.

That is really all anyone ever needs to know about TRNGs.

rg