The world's (other) most secure TRNG
ianG
iang at iang.org
Mon Sep 29 03:44:02 BST 2014
-------- Original Message --------
Subject: Re: [Cryptography] The world's most secure TRNG
Date: Sun, 28 Sep 2014 07:27:57 -0400
From: Bill Cox <waywardgeek at gmail.com>
CC: cryptography at metzdowd.com <cryptography at metzdowd.com>
I have a quick question for you guys. For a USB stick TRNG, would you
rather pay ~$15 for a 100K-byte/second source of true entropy, or ~$30
for a 1M-byte/second source?
I am currently designing a USB stick version of an INM to promote the
architecture. I plan to offer them for sale for what it costs me to
build them, which in low volume I expect to be around $15 to $30
depending on the speed target. Schematics, board layout, and BOM will
be made public-domain. Current my target spec is 1MiB/second
(mega-byte, not bit), over USB 2.0, but some of the high-performance
parts are expensive (high-speed buffer, comparator, op-amp, and analog
switch). Just using a jelly-bean quad op-amp is super-cheap, but 20X
slower.
The jelly-bean op-amp based versions are available on github, with
LTspice schematics and sims:
https://github.com/waywardgeek/infnoise
It's cheap, comparatively fast, and unlike other TRNGs, it's easy to get
right. It is 10X more fool-proof than any other TRNG I know of, simply
because of it's near immunity to signal injection, power supply noise,
cross-talk, etc. No shielding is required, and the power supply can be
noisy. No care needs to be taken with cross-talk between traces.Â
Attackers are welcome to inject strong signals into this TRNG, which
simply results in enhancing entropy, rather than subverting it. It
turns out that attackers make a nice source of entropy, and INMs add all
sources, without letting any saturate the signal.
Basically, TRNGs today generally amplify a noise source until it
saturates to a 0 or 1. Such systems are *very* hard to get right
because they are so sensitive to external noise. The right way to
amplify the noise source is with modular multiplication rather than
saturating multiplication. It is as simple as that.
There is some analysis on that page, and test-code to verify that the
level of entropy shifted out per bit, when the loop amplification is A, is:
   E = log(A)/log(2)
For example, when using a gain of sqrt(2), rather than 2, each bit
shifted out contributes 1/2 bit to the entropy pool. I've written code
to test the entropy of INM output, and measurements on simulation data
closely match this equation.
At least for the most sensitive cryptography, I think we should stop
using zener noise, oscillator jitter, latch power-up state, and other
TRNG architectures that are highly sensitive to noise that could be
controlled by an attacker, and which are too hard for regular guys to
get right on a board.
Bill
More information about the Discuss
mailing list