[Cryptography] Duh, why aren't most embedded TRNGs designed this way?

John Denker jsd at av8n.com
Fri May 14 01:21:43 EDT 2021 

On 5/13/21 8:48 AM, Ron Garret wrote:

> [...] because good sources of entropy are ubiquitous nowadays. Make
> an audio recording of yourself making pretty much any sound (saying
> “hisssssss” would be particularly effective) for a few seconds and
> you will have all the entropy you need for even the most demanding
> application.  You don’t need to understand the details of how your
> audio system works to be able to rely on it.  All you need is to be
> able to verify that the recording you get bears some resemblance to
> the sound you made in order to produce it (to verify that it is
> working at all).
> 
> The hard part is not finding good sources of entropy.  The hard part 
> is protecting that source against tempest attacks and other forms of 
> eavesdropping.

I wouldn't have said that.

Before we go on, let me point out that there are actually
two topics on the table, masquerading as one.

A) If you have a black box that outputs entropy, and *IF* some oracle
 tells you how much entropy, then you don't care how the entropy was
 produced. That's because entropy is fungible, to a decent
 approximation.

 That's like saying money is fungible.

   Tangential minor point: In theory that's exactly true, by
   definition. That's why money was invented. However, in
   practice you may find that a million dollars in hundred-
   dollar bills is preferable to a million dollars in
   pennies. So it is with entropy. You may find that a
   64-bit word with 64 bits of entropy is preferable to a
   thousand 64-bit words with 64 bits of entropy in there
   somewhere.

B) Graf (A) above is true as stated ... but it contains some very
 dicey provisos. The subject of this thread is the /design/ of TRNGs.
 In the world where I live oracles are hard to come by. So we have to
 open the black box and delve into the innards.

 In other words, at this level (B), it is absolutely wrong to suggest
 that the physics doesn't matter.

 A recorded hiss is a terrible idea, for multiple reasons:
  1) It's finite.
  2) The existence of a recording invites a replay attack.
  3) It's hard to characterize. Just because it "sounds white" to you
   doesn't mean it's reliably white. Do you know enough about the
   fluid dynamics of the vocal tract to be able to characterize the
   statistics of a spoken hiss? It doesn't have to be exact, but we
   need a reliable lower bound. You could maybe take a guess and then
   derate the device by a few orders of magnitude just to be sure.
   When I see devices like that I sometimes say "It wasn't designed,
   it was hatched."

 All that ugliness is completely unnecessary. You'd be a lot better
 off using Johnson noise:
  1') It offers an endless supply of noise.
  2') It cannot be overheard or replayed.
  3') It can be well characterized in terms of the fundamental physics
   plus well-determined engineering parameters such as gain and
   bandwidth. There are a couple of Phys. Rev. Letters on this subject
   by my buddies Nyquist and Johnson.

> The hard part is not finding good sources of entropy.  The hard part
> is protecting that source against tempest attacks and other forms of
> eavesdropping.

There's more than that to worry about. A lot more.

More information about the cryptography mailing list