[Cryptography] Duh, why aren't most embedded TRNGs designed this way?
Ondrej Mikle
ondrej.mikle at gmail.com
Thu May 20 20:19:59 EDT 2021
On 5/17/21 6:28 PM, Kent Borg wrote:
> On 5/13/21 8:48 AM, Ron Garret wrote:
>> The hard part is not finding good sources of entropy. The hard part is
>> protecting that source against tempest attacks and other forms of eavesdropping.
>
> No.
>
> The hard part about RNGs is that when they fail, they usually do so silently.
Yes. Not sure whether this was mentioned (was likely), that's why RNGs use
whitening.
If you take off-the-shelf chips, you might as well find that it will generate
the same 32-byte block again even if you kept all the timings required in
datasheet and worse. Running diehard(er) tests might even show worse results.
>From an experiment, after 2M requests to RNG the tested chip started producing
all zeros.
If you look at STM32 manual for example, there is a loop that will discard any
32-bit "random number" that is the same as previous, which is one workaround,
even though it carries a bit of statistical skew. But it will stop bad RNG from
working since it will be stuck in an infinite loop.
We actually need to design a TRNG that solves issues like these and it's
definitely no easy task.
OM
More information about the cryptography
mailing list