[Cryptech Tech] Hardware entropy

Joachim Strömbergson joachim at secworks.se
Mon May 19 19:50:08 UTC 2014

Previous message: [Cryptech Tech] Hardware entropy
Next message: [Cryptech Tech] Fwd: Re: Hardware entropy
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Aloha!

Short answer to your latest emails: Cool and thanks for doing this. I
will try to recreate the results when I get back to my dev boards.

Cheers!
JoachimS


Bernd Paysan wrote:
> Am Montag, 19. Mai 2014, 15:39:25 schrieb Bernd Paysan:
>> Given that 2 roscs give one random bit as result, and we can
>> probably sample  them every 1024th cycle, so we get ~50kbps of
>> entropy per rosc pair (and a rosc pair takes about one LC slice).
>> That is with chain length 8, I'll try different delay chain
>> lengths, assuming a "the shorter, the more jitter" relation.
> 
> Ok, here comes analyses for chain length 1, 2, and 4.  Chain length 1
> has a rather high number of dropouts (with a high DC value but low
> noise), and is likely not oscillating stable (or can't be captured by
> the DFF), but chain length 2 still looks good for most instances;
> some have high DC values, though; confirming the hypothesis that
> shorter chain length is higher jitter, but also more likely not to
> produce a good rosc.  This is now with a 16 cycles sample loop
> (rng.asm).
> 
> Chain length 3 (not attached) is between 2 and 4, as expected.
> 
> There are two possible ways to deal with dropouts: Either go for a
> lower chain length, and simply accumulate more values for the same
> target entropy, or go for a higher chain length, and wait longer per
> sample. Looking at the number of plots with high DC values, chain
> length 4 already has several biased roscs, so the idea would be to go
> rather for chain length 2, and spend the resources to build more
> oscillators, so that the biased ones don't matter much.  Hand layout
> would improve the situation, but I deliberately want to have a fully
>  automated flow.
> 
> Chain length 2 gives us both significant sampling noise (probably
> setup/hold time violations of the DFF, resulting in metastability)
> and high jitter noise, so to get the maximum amount of entropy out
> means simply sample often (more metastability noise), and let the
> hash function extract the actual entropy. This is then a combination
> of two on-chip noise sources.
> 
> Under commercial development, I would now put 10 devices into a
> climate chamber, and repeat the measurements for minimum and maximum
> temperature (with minimum and maximum supply voltage).  The sampling
> noise (metastability) should stay pretty constant over temperature,
> because it's matching: fast rosc and fast dffs have the same problems
> as slow roscs and slow dffs.  The jitter should go up with
> temperature (more resistance), but the frequency will go down,
> cancelling at least parts of the additional jitter.  I.e. the design
>  should be sufficiently robust against temperature, process and
> supply voltage changes - the tests would be there to prove this
> hypothesis.
> 
> 
> _______________________________________________ Tech mailing list 
> Tech at cryptech.is https://lists.cryptech.is/listinfo/tech


- -- 
Med vänlig hälsning, Yours

Joachim Strömbergson - Alltid i harmonisk svängning.
========================================================================
 Joachim Strömbergson          Secworks AB          joachim at secworks.se
========================================================================
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBCAAGBQJTemBwAAoJEF3cfFQkIuyNNzEP/2pK5cbIqLaHEK1RlPOeEwqK
1cHfWeaEjDwnEcC5EdAFILI7TapwDV73vXaFpr31OTBvW/DbRXR6O2EzS2xal+CZ
plbGnGCvx8vAulsWkd+JaldygkWqLy08EA1BCVjF9FvJfyC2vOJ7uuZFh/zl0VZJ
jy9Zz9LAj5PC3/JNnlT2hryIfDldYYviPuLWoWMzKezksx0dUDGdnhc7nTlAHgJP
g7RBoeg/0o4Gdya2oHzzCSg69cFEVr5zNTozlIQ32oJXFDjmTDxzFR137P0wKpVC
RlolEvfKYBQMfeTnkNH0givrpCJJ2les5qrgpOhVPTYyVyKCegMaAyyQHUJ6RN9D
t3gG4bPMlJ2goaM0ofXBe7o4CUJ4XAwjAJvAkjhnMBa/nAjs10cR8XtXZQGaXvli
L0g6WXf1zmuVXx9gNyko1/vIvoSPwVFUsL4ETbpj/xH2s5gd0eyM0CyrhD6ySikp
NwfrB7L6i/a9DXaVFOb9CzK+5iIpE7CWaNSvirq9YBNotz/HS8EIx5RmW8OdJNl4
4a6JbtVy9c1Z+LtcXtr1ZDezDqJD3LXXKW66KsFDMPow1bH+OWAHpDFZYXuwZfZ6
Q78AQDENtTaX9S3zwfJ1GEzO9voOePjwnBGRPh+9lYUYwQlKM5YMXME/bKw7O2K4
Fiu5OZYlB3lcYstNcy7D
=d1pf
-----END PGP SIGNATURE-----

Previous message: [Cryptech Tech] Hardware entropy
Next message: [Cryptech Tech] Fwd: Re: Hardware entropy
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Tech mailing list