[Cryptech Tech] ASIC implementation page on wiki

[Peter Gutmann]

Benedikt Stockebrand <bs at stepladder-it.com>

>The problem I see with that is that if we run into problems with some
>"improved", "low noise" diodes being slipstreamed into production, then we
>have one hell of a rollback to do.

The solution is to never rely on a single source.  If you look at the NSA's
Capstone design they use a noise source, an ANSI X9.17 generator using a per-
device seed, and a counter, and fed it all into a SHA-1 whitener/mixer.  This
is a good, sound design, any one (and, worse-case, even two) of those
components can fail and the generator will still produce usable output.

So add two different diodes, a ring oscillator, a counter, and some sort of
crypto PRNG (everything except the diodes can presumably go on an FPGA/ASIC)
and hash the output, then you don't need to worry about a change in the
manufacturing processing killing your entire RNG.

Oh, and just moving to an ASIC isn't necessarily going to fix things, the old
Intel PIII RNG was discontinued because a change in the manufacturing process
rendered it unusable.  It wasn't until about a decade later with RDRAND that
they came up with a design that wasn't susceptible to changes in the
manufacturing process.

Peter.