[Cryptography] Duh, why aren't most embedded TRNGs designed this way?

Sat May 15 21:04:40 EDT 2021

On May 13, 2021, at 10:21 PM, John Denker via cryptography <cryptography at metzdowd.com> wrote:

> A recorded hiss is a terrible idea, for multiple reasons:
>  1) It's finite.
>  2) The existence of a recording invites a replay attack.

I guess I should have been more explicit: you use the recording to seed a PRNG and then you destroy it.  (I thought that would go without saying in this group.)

Any time you feel the need to re-seed your PRNG you make a new recording, feed it to the PRNG, then destroy it, obviously taking appropriate precautions to prevent an adversary from obtaining a copy while it exists. (You have to protect the state of your PRNG anyway, so I feel like I’m belaboring the obvious here.)

>  3) It's hard to characterize. Just because it "sounds white" to you
>   doesn't mean it's reliably white.

I never said it was.  It almost certainly isn’t.  But that’s the whole point: it doesn’t matter.  As long as it contains enough entropy for your security needs, that’s good enough.  256 bits of entropy is probably plenty to secure anything short of a nuclear stockpile, and even a bad noise source will produce that with probability becoming indistinguishable from 1 after a very small number of seconds.

> All that ugliness is completely unnecessary. You'd be a lot better
> off using Johnson noise:

That is far from clear.  It might be a better source of entropy in theory, but it presents a different problem: how do you know that what you’re getting out of it is actually Johnson noise?  Unless you fabricate the noise generator yourself from raw materials, how do you know it hasn’t been compromised?

The advantage of using an audio recording is that you can easily verify that the data you have is (with very high probability) the data that you think you have.  You are going to have a very hard time distinguishing “real” Johnson noise from a facsimile injected into your system by an adversary.  By way of very stark contrast, if you record yourself saying “foo baz bar shhh shhh shhh” using consumer hardware and then listen to that recording and it sounds like your voice, then it is extremely unlikely that the recording has been tampered with at the hardware level.

But again, this doesn’t matter.  If you’re paranoid about audio, use a camera.  Or a mouse.  Or type random characters on a keyboard and measure the timing.  Or whatever.  The key to being secure is not the quality of the noises source but taking the time to collect enough of it.

>  1') It offers an endless supply of noise.

Why would you want that?  You’re still going to be rate limited by the bandwidth of the generator.  Why is that better than a properly seeded CSPRNG?

>  2') It cannot be overheard or replayed.

Of course it can.  If you’re using it for cryptography, then at some point you have to render that noise as a cryptographic key, and at that point it can potentially be compromised.  There is literally no difference in the potential for compromise in a key seeded from Johnson noise and the state of a CSPRNG.  They are both just bits in memory.  Where they came from doesn’t matter unless your adversary can use the knowledge of their source to mount an attack.

>  3') It can be well characterized in terms of the fundamental physics
>   plus well-determined engineering parameters such as gain and
>   bandwidth. There are a couple of Phys. Rev. Letters on this subject
>   by my buddies Nyquist and Johnson.

So?  Why is that an advantage?  At the end of the day what matters is that you are in possession of a small set of bits that you know and your adversary doesn’t.  Anything else is (sorry, I can’t resist) lost in the noise.

>> The hard part is not finding good sources of entropy.  The hard part
>> is protecting that source against tempest attacks and other forms of
>> eavesdropping.
> 
> There's more than that to worry about. A lot more.

Sorry, I still don’t see why.

rg