[Cryptech Tech] User auditable hardware entropy source/random number generator

[Benedikt Stockebrand]

Hi Fredrik and list,

> Thanks a lot for sharing. 

no worries---it's not as if I didn't benefit at least as much from your
feedback, too:-)

> I tried your circuit with some Zener diodes I had available without
> much success. Only one of them produced any noise to speak of.

A few updates on my side: Tests using a variety of THT (through-hole
technology) Zener diodes (and the proper firmware...) were all more or
less disappointing.  I didn't publish any results because in all but one
case my unshielded perfboard-based setup itself caught so much external
noise it was about as prominent as the noise from the Zener diode.

What I found to work with THT are some reverse biased BE junctions on
BJTs.  I haven't tried the 2N3904 you mention, but with what I tested so
far I got the best results from some BC337-16.  The BC547C I use for
amplification works but unfortunately yields only about half as much
output.

The situation also looks much better with various SMD (surface mounted
device) Zeners.  I'm not sure if I can do a proper test run on these
before Stockholm---I'd have to solder these up first, which makes it way
more tedious than THT---but I'll give it a try.

To reduce external noise and get more reliable test results I've almost
finished an all-in-one PCB design; it isn't meant for production use or
whatever, but to provide me a better test bed.  My intention is to order
a batch of these boards from Seeedstudio---unfortunately they won't be
here before I leave to Stockholm---and then have a basis to do some more
serious testing.  I'll attach the schematics below; if anyone happens to
want the Gerber and/or Eagle files, let me know.  Just don't laugh at
the messy^Wunoptimized layout.

Anyway, are you coming to Stockholm?  I intend to prepare a couple sets
of the Zeners/transistors I'm using so others can try as well; if you
don't make it, let me know your postal address and I'll send you a set.

@ALL: Anybody else who is interested just let me know.

> I decided to instead build me a generator core using 2N3904 transistors. Those 
> seem to be among the more common avalanche noise sources used in the various 
> hobby projects one can find on the Internet, so I had ordered a bunch of them.

I'll give them a try as well as soon as I get hold of them.  Looks like
the local Conrad outlet here in Frankfurt (my only sorry excuse for a
local source of components...) seems to have them stocked, so with some
luck I might have some basic results tonight.

> I basically built the circuit shown at
>
>   http://www.cryogenius.com/hardware/rng/

Hmm, do we have any electrical engineers around?  Here are my
not-so-professional impressions on that circuit:

- From what I've learned about transistor amplifier stages I'd rather
  stick with the voltage-feedback amplification (is that the proper
  English term?) I've used---it should be way more resilient to
  device tolerances.

- The circuit also heavily depends on the capacitances in Q1 and Q2,
  rather than using a capacitor for the job.  My experience is that a
  capacitor (between the collector of Q2 and GND in that schematic)
  actually increases both the amplitude and the irregularity of the
  output---the circuit as is should really work as a jittery oscillator
  only.

- Next, the 7805 is somewhat silly, because if R2 and R3 were instead
  fed from a 5V source, that would the job just as well (and a 78L05
  should do anyway).

To be fair, this design is for a somewhat different purpose, with next
to no need for output bandwidth, no USB +5V, and it's apparently built
from whatever components the developer had at hand.

> and connected both the analog side (collector of Q3) and the digitized output 
> of a Schmitt trigger inverter to inputs of an Arduino. 

That Schmitt trigger should be unnecessary: The Atmel MCUs I have used
so far (I haven't explicitly checked the m328 datasheet for the Arduino
though) do a pretty good job at this as they are.

> The Arduino is not my usual choice of MCU, but I think it would be
> beneficial to use in prototyping this because it will enable more
> people to follow the progress and build their own circuits.

There's a point to that, however there are two aspects to the Arduino
that should be considered separately: 

Using the Arduino hardware is perfectly fine with me, as long as I can
eventually scale things down again to a smaller device.

But using the Arduino development environment is not such a good idea,
and for a whole range of reasons:

- There's no longer any diversity in development tools.

- It adds extra complexity to the design.

- The bootloader allows for unattended installation of new firmware.

- To my understanding it will be significantly more difficult to get the
  timing right.

- It will slow things down in general.

- Worst of all, I want to preserve options for a higher level of
  diversity with the MCUs, like switching to PIC or MSP430 MCUs.

In any case, I plan to send some more stuff around before Stockholm; if
I get it done in time, I'll add the Arduino hardware things to the
firmware code.

> I could tell already from looking at the analog noise that there was bias in 
> the analog noise - probably from using an overly simplistic amplifier stage, 
> but that got me thinking that maybe it is possible to build a framework (for 
> lack of a better word here) around the generator core that actually 
> compensates for somewhat bad noise?

Leave me time until Stockholm and I beat whatever I have into a shape
that's possible to understand for people who haven't actually built
it...

> Maybe we should expect that a lot of people will decide to use generator core 
> variant X or Y based on more or less good reasons, and some of these will no 
> doubt have bias or other problems associated with them, or develop such issues 
> over time.

I've spent some time on writing up my ideas already; I'm not sure if you
will agree on my priorities in all cases, but at least it may give you
some ideas on what to watch out for (and also why I'll continue with the
HWRNG-only thing as a parallel project).

> The robustness vs. speed tradeoff will be an interesting one, but at 
> the moment it seems to me that robustness has to come first.

Which is exactly why I opted for that edge-to-edge measurement and the
von Neumann extractor.  It'll work with just about anything generating
roughly breakdown-style noise by adjusting the output speed to the
particular device.

And if there was anything good at all about that rather embarrassing
episode on the "magic" Zener diodes, then that's the fact that this
entire screw-up was caused by accidentially using a firmware that was
tuned for the speed of a specific ("magic" type of:-) Zener diode
instead of robustness.

Oh, and by the way: I've got hold of one last set of the "magic" Zener
diodes; I haven't tested them yet, but if they behave like the first
batch I'll have about a dozen of them to hand out in Stockholm...

> You and Bernd have already discussed extractors (turning noise into entropy, 
> using the notions that you described). It seems you outlined a number of good 
> ideas there and I'm going to read those e-mails again and do some testing, and 
> hopefully have a working prototype producing good entropy even from suboptimal 
> avalanche noise soon.

I won't get to these aspects with my writeup before Stockholm, but it's
on the todo list.

But anyway, there may be a difference between my own project's
requirements and the Cryptech design: I want "pure" entropy as output
for my thing while within the Cryptech framework it may be more
reasonable to stuff whatever noise is available as is into the seed of a
CSPRNG.

> Please let me know if I can assist you somehow with the continued work
> on your generator core - you have been most helpful to me/us.

Just keep asking questions and challenging my ideas, and eventually
reproduce my results (or not:-) and that'll be more than I've ever
expected.


@ALL: Is it OK for you if I send things out by Thursday night to give
you a chance to take a look at things before Stockholm, or would that be
too late?  And how many of you would be interested in a set of
Zeners/transistors for testing?


Cheers,

    Benedikt

-------------- next part --------------
A non-text attachment was scrubbed...
Name: ARRGH-THT.0.2alpha.pdf
Type: application/pdf
Size: 28838 bytes
Desc: Current schematic (to be tested when PCBs arrive)
URL: <https://lists.cryptech.is/archives/tech/attachments/20140723/3064ba4d/attachment-0001.pdf>
-------------- next part --------------

-- 
                          Business Grade IPv6
                     Consulting, Training, Projects

Stepladder IT Training+Consulting GmbH      Benedikt Stockebrand
Fichardstr. 38, 60322 Frankfurt/Main        Dipl.-Inform./Gesch?ftsf?hrer
HRB 94202, Registergericht Frankfurt/M      contact at stepladder-it.com   
http://www.stepladder-it.com/	            +49 (0) 69 - 247 512 362      
http://www.benedikt-stockebrand.de/         +49 (0) 177 - 41 73 985       

BIVBlog---Benedikt's IT Video Blog: http://www.stepladder-it.com/bivblog/

Bitte kein Spam, keine unaufgeforderten Werbeanrufe, keine telefonischen
Umfragen.  Anrufe werden ggf. zu rechtlichen Zwecken aufgezeichnet.
No spam, no unsolicited sales calls, no telephone surveys, please. Calls
may be recorded for legal purposes.