[Cryptography] Duh, why aren't most embedded TRNGs designed this way?
Ondrej Mikle
ondrej.mikle at gmail.com
Sat May 22 20:30:15 EDT 2021
On 5/21/21 11:02 PM, Ben Laurie via cryptography wrote:
> I'm not even sure why we're discussing this *again*, but...
>
> Another issue is that a counter encrypted with a known AES key will pass
> these tests.
Because it wasn't solved in actual HW yet. I am not talking now about
statistical tests.
There is Hector project that struck me interesting since they had some sort of
proof that the TRNG the way they designed it "won't fail" (don't take it
literally, but they had really good idea on design, implementation and tests and
IIRC somebody already posted the paper/presentation in this thread).
The presentation I saw was IIRC Cardis 2019? Probably could dig it up later,
it's fairly long.
I didn't understand the design 100% (not my field) and it has been several years
since I saw the presentation but to my recollection it seemed like one of the
best designs I saw. Not like what you have in intel, ARM or various processors
where most of the design is security by obscurity and you can't inspect/test the
design. Or test/prove that it won't fail later. Hector actually had some trick
to show that it won't silently fail later.
It was probably the closest thing to a mathematical proof (albeit probabilistic
IIRC) you could have when it comes to hardware TRNG.
Regards,
OM
More information about the cryptography
mailing list