[Cryptech Tech] User auditable hardware entropy source/random number generator

[Fredrik Thulin]

On Wednesday, July 23, 2014 11:11:30 AM Benedikt Stockebrand wrote:
...
> What I found to work with THT are some reverse biased BE junctions on
> BJTs.  I haven't tried the 2N3904 you mention, but with what I tested so
> far I got the best results from some BC337-16.  The BC547C I use for
> amplification works but unfortunately yields only about half as much
> output.
-
Right. I tested a BC337 from my scrap box too, but IIRC there was at least 
higher amplitude noise from the 2N3904.

> The situation also looks much better with various SMD (surface mounted
> device) Zeners.  I'm not sure if I can do a proper test run on these
> before Stockholm---I'd have to solder these up first, which makes it way
> more tedious than THT---but I'll give it a try.

I don't mind the SMD, but I think through-hole has the added benefit of 
minimizing the obstacles for anyone with moderate hardware experience to 
replicate results and test for themselves. At least keeping that in mind is 
important IMO.
 
> To reduce external noise and get more reliable test results I've almost
> finished an all-in-one PCB design; it isn't meant for production use or
> whatever, but to provide me a better test bed.  My intention is to order
> a batch of these boards from Seeedstudio---unfortunately they won't be
> here before I leave to Stockholm---and then have a basis to do some more
> serious testing.  I'll attach the schematics below; if anyone happens to
> want the Gerber and/or Eagle files, let me know.  Just don't laugh at
> the messy^Wunoptimized layout.

I had the same idea... I've used https://oshpark.com earlier with good 
results, but they have rather long lead times too.
 
> Anyway, are you coming to Stockholm?  I intend to prepare a couple sets
> of the Zeners/transistors I'm using so others can try as well; if you
> don't make it, let me know your postal address and I'll send you a set.

I will be in Stockholm, both days. Glad to hear you are coming.

...
> > I basically built the circuit shown at
> > 
> >   http://www.cryogenius.com/hardware/rng/
> 
> Hmm, do we have any electrical engineers around?  Here are my
> not-so-professional impressions on that circuit:
> 
> - From what I've learned about transistor amplifier stages I'd rather
>   stick with the voltage-feedback amplification (is that the proper
>   English term?) I've used---it should be way more resilient to
>   device tolerances.

I'll trust you on it - but maybe we should try to get in touch with some real 
electrical engineers as you suggest =)

> - The circuit also heavily depends on the capacitances in Q1 and Q2,
>   rather than using a capacitor for the job.  My experience is that a
>   capacitor (between the collector of Q2 and GND in that schematic)
>   actually increases both the amplitude and the irregularity of the
>   output---the circuit as is should really work as a jittery oscillator
>   only.

You are probably right. I've attached a screenshot showing the analog out 
signal I got, as well as the digitized output. The low clipping (bias) is 
easily spotted, but my thinking was that it would be a worthwhile exercise to 
see if we can come up with an extractor algorithm that can put up with a 
rather lousy signal and still manage to extract true entropy from it.
 
...
> > The Arduino is not my usual choice of MCU, but I think it would be
> > beneficial to use in prototyping this because it will enable more
> > people to follow the progress and build their own circuits.
> 
> There's a point to that, however there are two aspects to the Arduino
> that should be considered separately:
> 
> Using the Arduino hardware is perfectly fine with me, as long as I can
> eventually scale things down again to a smaller device.

Totally agree. I wouldn't mind keeping sort of an "Arduino compatibility" to 
allow people to connect the generator core design to their Arduinos if they 
want to, but in the end I don't see us including Arduinos to provide entropy 
to the FPGA =).

Besides apparently being available in a QFN-32 package only, I've been looking 
for an excuse to try the Freescale MKL02Z. 48 MHz ARM Cortex-M0+ in 5x5 mm, or 
a 16 pin QFN version measuring 3x3 mm! There's an eva-board called FRDM-KL02Z.

> But using the Arduino development environment is not such a good idea,
> and for a whole range of reasons:
> 
> - There's no longer any diversity in development tools.
> 
> - It adds extra complexity to the design.
> 
> - The bootloader allows for unattended installation of new firmware.
> 
> - To my understanding it will be significantly more difficult to get the
>   timing right.
> 
> - It will slow things down in general.

Agree with all of that.

> - Worst of all, I want to preserve options for a higher level of
>   diversity with the MCUs, like switching to PIC or MSP430 MCUs.

There are some nice MSP430s for sure.

...
> > The robustness vs. speed tradeoff will be an interesting one, but at
> > the moment it seems to me that robustness has to come first.
> 
> Which is exactly why I opted for that edge-to-edge measurement and the
> von Neumann extractor.  It'll work with just about anything generating
> roughly breakdown-style noise by adjusting the output speed to the
> particular device.

That's what I'm currently using as extractor. I've only got about a day's 
worth of data so far, but it doesn't appear to be flawless as implemented on my 
Arduino (I have some theories as to why)... but I'm not that used to 
interpreting the results of ent, dieharder etc. This is ent output for 77 MB:

> Entropy = 7.998367 bits per byte.
> 
> Optimum compression would reduce the size
> of this 71335422 byte file by 0 percent.
> 
> Chi square distribution for 71335422 samples is 162185.95, and randomly
> would exceed this value 0.01 percent of the times.
> 
> Arithmetic mean value of data bytes is 127.1028 (127.5 = random).
> Monte Carlo value for Pi is 3.134946002 (error 0.21 percent).
> Serial correlation coefficient is -0.000109 (totally uncorrelated = 0.0).

Dieharder is not at all convinced by these first 77 MB, but maybe that is to be 
expected?

...
> @ALL: Is it OK for you if I send things out by Thursday night to give
> you a chance to take a look at things before Stockholm, or would that be
> too late?  And how many of you would be interested in a set of
> Zeners/transistors for testing?

OK with me, and I'm interested. See you in Stockholm.

/Fredrik
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 2N3904-PoC-1.png
Type: image/png
Size: 69301 bytes
Desc: not available
URL: <https://lists.cryptech.is/archives/tech/attachments/20140724/c3614dd6/attachment-0001.png>