[Cryptech Tech] HWRNG specs

Bernd Paysan bernd at net2o.de
Mon Dec 8 20:24:47 UTC 2014


Am Montag, 8. Dezember 2014, 13:12:11 schrieb Olli Ottela:
> Hello.
> 
> I spotted a picture of Cryptech HWRNG from ioerror's twitter wall. I'm
> working on a high-assurance Pidgin (https://github.com/maqp/tfc) that uses
> one-time pads and one-time MACs to provide information theoretical security
> (a cascading encryption version also exists). Since a lot of truly random
> data is required I'd be very interested to learn more about your project,
> about how open source the hardware is, at what speed can entropy be
> sampled, how Ent and Dieharder have evaluated the output. The cost is
> something to consider aswell: TFC already requires users invest in
> hardware.

I hope you have read what Bruce Schneier says about one time pads:

https://www.schneier.com/crypto-gram-0210.html#7

Short summary: "One-time pads may be theoretically secure, but they are not 
secure in a practical sense. They replace a cryptographic problem that we know 
a lot about solving -- how to design secure algorithms -- with an 
implementation problem we have very little hope of solving. They're not the 
future. And you should look at anyone who says otherwise with deep and 
profound suspicion."

So I look at you with deep and profound suspicion.

However:

The ring oscillator based hardware RNG can be pretty fast (much faster than 
the diode noise entropy source); each single oscillator can produce one bit of 
randomness every 128 cycles, and you can instantiate many of those.  A single 
ring oscillator takes only a few LEs.  So a gigabyte per second is easily 
doable, if you manage to get it out of the FPGA.  However, the raw entropy of 
this ring oscillators is biased, so you need a conditioner which compresses 
the entropy a bit (2:1 ratio) by running it through a hash like SHA-512.  Once 
you do that, your one time pad depends on SHA-512 provable taking out all 
patterns and biases from the raw entropy source; and you guess: there is no 
way to prove this.  Nor would it be provable, if you replace SHA-512 with any 
other conditioner.  And the raw entropy source is measurable biased, and a 
bias breaks the security proof of the OTP.

Cost per random generator depends on volume, and the entropy sources are just 
a (small) part of the entire project: You need some entropy to be secure, but 
you don't need that much.

The entire project is very open, so you can take out the parts you need and 
put them together in the way you need.

BTW: Passing dieharder is no way a proof of security.  You can make a 
deterministic, reversible function that is fully known to the attacker (e.g. a 
block cipher like Threefish or AES with a known key in counter mode as stream 
cipher), and *still* produce data that passes dieharder.

Failing dieharder however is a proof of non-security, but it doesn't prove 
that your raw entropy source is bad.  If you put the raw entropy source, 
before the mixer/conditioner into dieharder, it will fail, due to the bias.  
The bias is a natural consequence of how the circuit that converts noise to 1s 
and 0s works.

-- 
Bernd Paysan
"If you want it done right, you have to do it yourself"
http://bernd-paysan.de/



More information about the Tech mailing list