[Cryptech Tech] User auditable hardware entropy source/random number generator

[Bernd Paysan]

Am Freitag, 11. Juli 2014, 18:12:39 schrieb Joachim Strömbergson:
> What I think Fredrik had in mind was to use a MCU to implement control
> and sampling of the entropy source.

I think you can use more of the hardware of an MCU, if you want to (what 
Benedikt actually does is explained in his reply).  The signal of such a diode 
is white noise in the analog domain.  So to extract the most entropy out of 
it, you amplify it so that the signal still fits within the range of the ADC.  
You now can measure the ampliude of the signal, and you will get about 7 bit 
of entropy per byte sampled.  Some people have reported that this diode noise 
is good for up to around 1 MHz, so you could sample with 2 Megasamples per 
second, which gives you somewhat nearly 2 Megabytes of entropy per second.  As 
usual, YMMV, so doing some fast sampling first and then figuring out what you 
can usefully do is the best approach.

That's a bit tricky in an FPGA, where you don't have an ADC, but far from 
impossible - you can build an ADC inside an FPGA, even a pretty fast one (we 
had a 100MHz ADC with ~8 bit resolution in a digital audio project - in the 
FPGA; several of these ADCs, to be precise; they don't take up that much 
space, and need only passive components and the actual amplifier outside - 
just like with an MCU).

The output of this ADC will not pass statistical tests, as the ADC has 
nonlinearities (especially DNL matters here - each individual code has a 
different voltage range, and therefore, the histogram will show a typical 
pattern, which is partly due to the device itself, partly due to general 
contruction issues). And there are codes in the upper and lower part that are 
outside the reach of the signal.  Having direct access to this raw data is 
important for trust, because this data gives you confidence that the diode is 
indeed noisy (with an expected noise amplitude), and you can FFT the values to 
learn how the noise is distributed over frequency - there will be a DC cutoff, 
because the level shifter is adaptive, and there will be an AC cutoff, because 
the avalanche noise is a low-frequency phenomenon (well, up to 1MHz is 
possible, but usually not beyond).

So the next stage is to feed this raw code into a hash, and compress it 
somewhat, so that you now get digital white noise out.  This part is identical 
to what we need for the ring oscillator noise, too.

About what's AIS31:

https://www.bsi.bund.de/cae/servlet/contentblob/478128/publicationFile

That contains other parts like

https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Zertifizierung/Interpretationen/AIS_20_AIS_31_Evaluation_of_random_number_generators_e.pdf?__blob=publicationFile

As Benedikt is German, he can read all that (some documents are in German, 
some in English...).

-- 
Bernd Paysan
"If you want it done right, you have to do it yourself"
http://bernd-paysan.de/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.cryptech.is/archives/tech/attachments/20140711/1fffe2ec/attachment-0001.sig>