[Cryptech Tech] Hardware entropy
Joachim Strömbergson
joachim at secworks.se
Fri May 16 16:49:27 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Aloha!
Bernd Paysan wrote:
> Thanks to Heise, I got informed that you are working on a open+secure
> cryptochip. Has anybody started with the entropy source yet? I've
> several ideas how to create entropy on an FPGA, and I'd like to try
> them out...
Has Cryptech been mentioned in Heise? Do you have a link?
Cool of you to make contact. I'm almost a bit startstuck - you have done
a lot of cool stuff since at least early 1990s with the 4stack machines
etc. Your input and knowledge would be great.
> The general structure of an entropy source would be: The source
> itself (using unreliable, self-timing, or instable configurations of
> the lookup tables, which probably requires some low-level entry, as
> the standard Verilog compiler might want to eliminate them...), which
> must have a raw access from the outside (to get and measure raw
> entropy, so we can be confident that it is good entropy), and a
> conditioner, which is a secure one-way function over the entropy bits
> (which makes measuring the entropy extremely hard, as the one-way
> function produces something that definitely looks like good
> entropy).
As Fredrik wrote we will kick of a sub project that will produce the
design of a stable, well tested PN avalanche noise based entropy source.
But our RNG does not hinge on that specific entropy source. In fact what
we try to achieve is a complete, modular TRNG with support for several
entropy sources (providers) that feed a mixer + CSPRNG that generated
the actual random numbers. This follows similar TRNG structures as is
present in modern OSs (Linux, OpenBSD) as well as the Bull
Mountain/RdRand in Intels processor - if one is to trust what Intel
presents.
The following presentation (that needs to be updated) shows proposal:
http://trac.cryptech.is/browser/doc/presentations/Cryptech_TRNG_Ideas_2014-03-17.pdf
Currently I have the basics of the mixer and CSPRNG almost done. The
debug, test system is not ready. Nor are any entropy sources.
We have had long discussions on viable entropy sources. Some are pretty
firm that PN avalanche noise is the only usable source of entropy. I
think shot noise as well as meta stability in CMOS devices are usable
too. And the important thing is that we want to have more than one
entropy source and of different types to make it harder to manipulate
more that one physical process at the same time.
The Cryptech system will however not force any implementor to use a
specific entropy source or a specific number of sources. The PN
avalanche noise is the basa one and then we can add more.
Regarding FPGA based entropy sources, there has been done some
interesting work on it. The following report presents several variants
that has been tested. The big problem is getting control of the layout.
But when that works, the meta stability achieved seems to be able to
produce an entropy source that meets AIS31.
http://www.eit.lth.se/sprapport.php?uid=498
I would love to test these, but if you are able to do it, even better.
As long as you can get the source to generate 32-bit words (via a
buffer) we can easily connect it to the coretest system and extract the
data to do offline testing with Dieharder for example. Something like
what I'm using today for the hash testing:
http://trac.cryptech.is/browser/core/coretest_hashes
Do you have any good FPGA dev boards available? I'm using the TerasIC
C5G board and can recommend it. A great little board.
> I'd prefer to use Keccak as conditioner, because that's a hash I have
> no doubts about. There's a Keccak implementation on OpenCores.
You could easily replace the SHA-512 core in our TRNG with Keccak. I'm
not sure users at large yet is as comfortable with Keccak as SHA-512,
even though the SHA-3 compo is over.
What are your thought regarding CSPRNG? My idea is to use ChaCha or XChaCha.
- --
Med vänlig hälsning, Yours
Joachim Strömbergson - Alltid i harmonisk svängning.
========================================================================
Joachim Strömbergson Secworks AB joachim at secworks.se
========================================================================
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQIcBAEBCAAGBQJTdkGWAAoJEF3cfFQkIuyNWqAQAKOjb4uU1C/hMTVA4GPvFYzn
RzgZ+2nR79tuSBA86bXPP90RmZTsk1cqM50TnKhh/Rj9nwKJlRN0in65eZcKY1vE
AF8gYYp0LHGzuXaIELNF4jeqhQtp6NNBYcsfGrVz3+YfLM++/w4YFHt6bnNLH/qI
wLPcvC7kCralBXGqPrzHNODZkmeuscDWJBeCRLoANXNiu7jILASx/zMTXmWd3SWW
EVQmJFxRhJ/hRC+jRyDJ+M54erJLhab6FwYRgsMkKpdYp+FW46YCQoCssm1RgNJ/
kMGLO5whPk8buB5bMs2qfRKM3Tcof3xuvMwNoXmA4CxLCDkdXHD7zQZnUyfh6NfH
NTfLM060bfvJcMunmLKRNsjuws+qMXHhmDgtuK3DlrWnaE17Y3YnQL+91otjZmOS
QRhPaVDJ1VccWz29SRN4rCLD7eUqhjDdn0nsOeyVVwk0tMkrRgDVCgUQL+ppaII+
0cLdFBDpB8tqk4k1E7lLqsm5PJtZElwYl6mIkse3q0ZeRQyQYaYp/oJ+QQuwq74i
2SeEZvKMx6h2iLMZfxX7rb09+gJ+LE8c1bcyo6VFo+5CqCpszDnEQ+CDQy5Aiy02
GAb1A0MtjMJsnWkdAbIXVjPtbvP0OGe5a/HhEEOIEe4sdh/chYmBWrw6f6FD5t39
t+QW7pEHUi8WTWa3fxGT
=/3vv
-----END PGP SIGNATURE-----
More information about the Tech
mailing list