[Cryptography] Duh, why aren't most embedded TRNGs designed this way?

Ron Garret ron at flownet.com
Sat May 15 21:31:55 EDT 2021 

On May 14, 2021, at 1:02 PM, Arnold Reinhold via cryptography <cryptography at metzdowd.com> wrote:

> 
> 
>> On May 13, 2021, at 11:48 AM, Ron Garret <ron at flownet.com> wrote:
>> 
>> 
>> On May 5, 2021, at 10:00 AM, Arnold Reinhold via cryptography <cryptography at metzdowd.com> wrote:
>> 
>>> On Fri, 30 Apr 2021 06:45:15 -0700 Ron Garret wrote:
>>> 
>>>> On Apr 26, 2021, at 2:59 PM, John-Mark Gurney <jmg at funkthat.com> wrote:
>>>> 
>>>>> This applies to ALL TRNG sources.  You cannot use a TRNG if you cannot
>>>>> understand and model the underlying physics to decide if it's random
>>>>> or not.
>>>> 
>>>> This is the wrong way to think about it.  First, randomness is not binary.  A system is not ?random? or ?not random?.  The right way to think about it is: how many bits of entropy does a system reliably produce per unit time.
>>>> 
>>>> Second, entropy can only be measured with respect to a prospective adversary?s knowledge.  The best entropy source is useless if your adversary can read the output (e.g. via a tempest attack).
>>>> 
>>>> The physical details of your RNG hardly matter at all.  The thing that matters is *having a reliable estimate of the lower bound of the entropy produced by your system with respect to prospective adversaries*.  If you have that, you win with the following simple procedure: collect 10x or 100x more entropy than you think you need for a given security level, then use that to seed a good PRNG.  If you don?t have that, you lose no matter how fancy your hardware is.
>>>> 
>>>> That is really all anyone ever needs to know about TRNGs.
>>> 
>>> 
>>> I think you may be missing the point.  How do you get a "a reliable estimate of the lower bound of the entropy produced” without an understanding of the physical details of the generator? In addition, knowledge of the physical details may help in verifying that a supposed TRNG was constructed the way the manufacturer says, perhaps by verifying temperature or voltage variability. 
>>> 
>>> Unpredictable bit strings are the bedrock on which modern security systems are built. If that unpredictability cannot be guaranteed, nothing is safe.
>> 
>> [Sorry for the long delay in responding to this.]
>> 
>> Theoretically what you say is true.  But as a practical matter it is largely irrelevant because good sources of entropy are ubiquitous nowadays. Make an audio recording of yourself making pretty much any sound (saying “hisssssss” would be particularly effective) for a few seconds and you will have all the entropy you need for even the most demanding application.  You don’t need to understand the details of how your audio system works to be able to rely on it.  All you need is to be able to verify that the recording you get bears some resemblance to the sound you made in order to produce it (to verify that it is working at all).
>> 
>> The hard part is not finding good sources of entropy.  The hard part is protecting that source against tempest attacks and other forms of eavesdropping.
>> 
> 
> There are plenty of situations where entropy is required and there is no microphone nor camera (my favorite) nor other analog input and no human to hiss into a microphone if there is one. I believe this thread started as a discussion of TRNGs embedded in microprocessors and SOCs.  When they are present, it is likely that many developers will rely on them, even though there may be alternatives. Hence it is important to get them designed well and to provide ways to assure that all been done properly and there are no shenanigans. It can’t be said often enough, random number generation is a silent, single point of failure for cryptographic systems.

Yes, I agree with all that, but I don’t see why it’s relevant.  Either you trust your hardware supplier or you don’t.  Either way, the physical details of the TRNG don’t matter, at least not to you.  You should hope that they matter to your supplier, and maybe you’ll want to inquire about them as part of your vetting process, but again, at the end of the day it all still comes down to trust.  It would be easier for you to build your own TRNG from raw materials than to verify that the story that your hardware supplier told you about the TRNG you bought from them is actually true.

By way of very stark contrast, it is borderline trivial to verify that a recording you made of yourself bears some resemblance to the sounds that you recorded and so with very high probability contains a certain minimal level of entropy per unit time.  You don’t have to trust anyone to implement that strategy.  IMHO that is the overriding consideration.

rg

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20210515/db43cd7f/attachment.htm>

More information about the cryptography mailing list