[Cryptography] Duh, why aren't most embedded TRNGs designed this way?

Arnold Reinhold agr at me.com
Wed May 5 13:00:35 EDT 2021 

On Fri, 30 Apr 2021 06:45:15 -0700 Ron Garret wrote:

> On Apr 26, 2021, at 2:59 PM, John-Mark Gurney <jmg at funkthat.com <mailto:jmg at funkthat.com>> wrote:
> 
>> This applies to ALL TRNG sources.  You cannot use a TRNG if you cannot
>> understand and model the underlying physics to decide if it's random
>> or not.
> 
> This is the wrong way to think about it.  First, randomness is not binary.  A system is not ?random? or ?not random?.  The right way to think about it is: how many bits of entropy does a system reliably produce per unit time.
> 
> Second, entropy can only be measured with respect to a prospective adversary?s knowledge.  The best entropy source is useless if your adversary can read the output (e.g. via a tempest attack).
> 
> The physical details of your RNG hardly matter at all.  The thing that matters is *having a reliable estimate of the lower bound of the entropy produced by your system with respect to prospective adversaries*.  If you have that, you win with the following simple procedure: collect 10x or 100x more entropy than you think you need for a given security level, then use that to seed a good PRNG.  If you don?t have that, you lose no matter how fancy your hardware is.
> 
> That is really all anyone ever needs to know about TRNGs.


I think you may be missing the point.  How do you get a "a reliable estimate of the lower bound of the entropy produced” without an understanding of the physical details of the generator? In addition, knowledge of the physical details may help in verifying that a supposed TRNG was constructed the way the manufacturer says, perhaps by verifying temperature or voltage variability. 

Unpredictable bit strings are the bedrock on which modern security systems are built. If that unpredictability cannot be guaranteed, nothing is safe.

Arnold Reinhold
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20210505/3e511050/attachment.htm>

More information about the cryptography mailing list