[Cryptography] Duh, why aren't most embedded TRNGs designed this way?
John Denker
jsd at av8n.com
Fri May 14 01:21:43 EDT 2021
On 5/13/21 8:48 AM, Ron Garret wrote:
> [...] because good sources of entropy are ubiquitous nowadays. Make
> an audio recording of yourself making pretty much any sound (saying
> “hisssssss” would be particularly effective) for a few seconds and
> you will have all the entropy you need for even the most demanding
> application. You don’t need to understand the details of how your
> audio system works to be able to rely on it. All you need is to be
> able to verify that the recording you get bears some resemblance to
> the sound you made in order to produce it (to verify that it is
> working at all).
>
> The hard part is not finding good sources of entropy. The hard part
> is protecting that source against tempest attacks and other forms of
> eavesdropping.
I wouldn't have said that.
Before we go on, let me point out that there are actually
two topics on the table, masquerading as one.
A) If you have a black box that outputs entropy, and *IF* some oracle
tells you how much entropy, then you don't care how the entropy was
produced. That's because entropy is fungible, to a decent
approximation.
That's like saying money is fungible.
Tangential minor point: In theory that's exactly true, by
definition. That's why money was invented. However, in
practice you may find that a million dollars in hundred-
dollar bills is preferable to a million dollars in
pennies. So it is with entropy. You may find that a
64-bit word with 64 bits of entropy is preferable to a
thousand 64-bit words with 64 bits of entropy in there
somewhere.
B) Graf (A) above is true as stated ... but it contains some very
dicey provisos. The subject of this thread is the /design/ of TRNGs.
In the world where I live oracles are hard to come by. So we have to
open the black box and delve into the innards.
In other words, at this level (B), it is absolutely wrong to suggest
that the physics doesn't matter.
A recorded hiss is a terrible idea, for multiple reasons:
1) It's finite.
2) The existence of a recording invites a replay attack.
3) It's hard to characterize. Just because it "sounds white" to you
doesn't mean it's reliably white. Do you know enough about the
fluid dynamics of the vocal tract to be able to characterize the
statistics of a spoken hiss? It doesn't have to be exact, but we
need a reliable lower bound. You could maybe take a guess and then
derate the device by a few orders of magnitude just to be sure.
When I see devices like that I sometimes say "It wasn't designed,
it was hatched."
All that ugliness is completely unnecessary. You'd be a lot better
off using Johnson noise:
1') It offers an endless supply of noise.
2') It cannot be overheard or replayed.
3') It can be well characterized in terms of the fundamental physics
plus well-determined engineering parameters such as gain and
bandwidth. There are a couple of Phys. Rev. Letters on this subject
by my buddies Nyquist and Johnson.
> The hard part is not finding good sources of entropy. The hard part
> is protecting that source against tempest attacks and other forms of
> eavesdropping.
There's more than that to worry about. A lot more.
More information about the cryptography
mailing list