[Cryptech Tech] Hardware entropy

Joachim Strömbergson joachim at secworks.se
Mon May 19 19:37:23 UTC 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Aloha!

Stephan Mueller wrote:
> I understand that this will be a kind of Open Source -- Open Hardware
>  approach where everybody can do whatever he likes. However, in the 
> design of the RNG, a tight, hardly to separate integration of the
> noise source from the subsequent deterministic part can be achieved
> or a loose coupling which allows an easy plug and play with other
> ciphers.
> 
> My recommendation would be for the latter.
...
> Oh, sure. Do not get me wrong that all needs to be perfect from the 
> beginning. But interfaces are hard to change afterwards. Thus my
> remark on well-defined interfaces between noise source and
> conditioner to allow an easy replacement.

Yes, interfaces are important and I hope what I've suggested as first
draft is ok. But during the first year or so with say 1-5 entropy
sources and a few mixers etc, we can change around things.

But let me just try to explain how I'm thinking and why I belive it will
actually be pretty easy to add entropy sources, change the core used for
mixer (SHA-512 vs Keccak vs Blake vs ...) etc.

If we ignore the debug support I've been discussing with Berndt, the
data path from entropy source to generated random number look like this.

(1) The first stage consists of a number of entropy provider modules.
One for each entropy source used in a given implementation. This means
that there will be one to N entropy providers.

The entropy providers are digital HW within the FPGA and their purpose
is to act like a driver for a given type of entropy source. This means
that they contain the interface logic to control the entropy source and
read sampled values. If the entropy source is a PN avalanche noise
source this means controlling the reverse bias current and reading from
the A/D to get ones and zeros.

The entropy provider might do whitening and will do on-line testing of
collected values to observe that the entropy source is at least not
dead. The entropy provider then collects these values into 32-bit words
and feeds them into a FIFO.

This means that there is a FIFO at the output end of each entropy
provider and they are in a sense generic. The only difference between
two types of entropy providers is how many 32-bit words they can provide
in a given time.

I'm sure that the FPGA entropy source Berndt has been talking about
could be wrapped into an entropy provider like that.

In short: All entropy sources have a companion entropy provider core.
Each entropy provider core is different in terms of interface towards
the entropy source. But the interface towards the mixer is always the same.


(2) The mixer has a number of input ports, each look the same - the read
access interface to the FIFOs in the entropy sources. The mixer looks at
the FIFOs for available 32-bit words and extracts them. The suggested
way of doing this is round robin to get fair queueing.

In my implementation using SHA-512 i basically extracts as many 32-bit
words as needed to create a 1024 bit message block. This is then fed
into SHA-512 and processed. After X message blocks the digest is
extracted and fed into a FIFO.

That is basically it for the mixer. Shanging this to Keccak will change
how many words are consumed for each 512 bit word generated and how many
cycles it takes. But the interfaces does not have to change.

And the only difference between mixers are how many entropy sources it
can use and thus how many interfaces it has.


(3) The CSPRNG has a 512-bit interface connected to the FIFO in the
mixer. When it is time to reseed and there is a 512-bit word available,
it is extracted from the FIFO in the mixer and is used to initalize the
CSPRNG. The CSPRNG then starts generating random numbers. These numbers
are fed into a 32-bit FIFO which can be accessed by the rest of the
Cryptech system, applications (via calls into Cryptech SW and down into
HW register reads.

In short, the CSPRNG accepts 512 bit words and generates 32-bit words.
How many cycles it takes to generate new words and how often reseed
happens depends on the algorithm used, how the system is configured. But
the interfaces should be possible to keep the same.



> By the way: I am amazed that hardware development is now starting to
> be Open Source.

There isn't that much compared to all SW projects but OpenCores has been
around for many years and esp the OpenRISC procsessor core is cool and
today pretty mature:

http://opencores.org/

- -- 
Med vänlig hälsning, Yours

Joachim Strömbergson - Alltid i harmonisk svängning.
========================================================================
 Joachim Strömbergson          Secworks AB          joachim at secworks.se
========================================================================
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBCAAGBQJTel1yAAoJEF3cfFQkIuyNl1gP/19h8BKd9VIksSPR0xvZsMu4
wGUMSUDGLDzGGXM4AFGbREZihd2d/XB6d7gQl4R5USSPXCgmZSKueXL87a+S7wg9
gQzFPQeoDMLmTLQVA1T249AxeHg6uKGMY/hQF6uH6Iv4H+iZj84uEj75EfkuXCu6
3Voqv8chXN4fB4Y7DzyBApNiAYJZuYxLFBP50+8dNreeK/BSmBX1uK1J7RXUjkn4
IIcgW38oX1TJH5aHHB31jaAy/Obh5xFzj5Cbev1ml0rfCXic7xPaLi16Tcxq1z/k
WyIt5DiE8K80BM2jnTFRTGLylU7r34mEb2DVVxrxrGm1cVg1fKToaiU7notTqtYq
mYMEWuwHTintZDToQ0g+LFADQkiEPRdygyiSgFklZeYLSIrC+k6w17NdY/W2SV1q
rZn2gKG6AdDgyE0NtegF0r6n3hZnoZc75CV/3q8lBPaiJY1Vl8oMgfXtsOJiKgp5
Bv3FQSyyx/AuYMIVKpVz4NR7UoqNICC3N8p233T/ASPYbjwCRY7XsyQLVOdgfApb
bK4FqcTeQaII27TXa05NPaDSEa2DbtKARWHjvBtlt8G+YeZ1CcdDnsa9tihCIFg0
iG+pDZQNRHwWa3fpAVXx0UYxV7fPd6qqOTzrEuAWqJXAT+a1Or0ODl5m6ifqh//T
vMnm59fr3aYXjzP7iuop
=GRUt
-----END PGP SIGNATURE-----


More information about the Tech mailing list