[Cryptech Tech] Cleaned up arrgh board and firmware available

[Fredrik Thulin]

On Wednesday, November 26, 2014 08:35:07 AM Benedikt Stockebrand wrote:
...
> While I'm rather happy with the results I've seen so far, I *really*
> want some more testing; this is especially so because the tests promoted
> by FIPS-140 are ridiculously ill-suited, but still used e.g. by the
> rngtools (rngtest/rngd).

Yes, I concur that testing needs more work. My approach this far is to try and 
examine the smallest components first (currently, LSBs of a 42 MHz timer 
triggered on the rising flank of the noises), before deciding on what is 
actually a sound way to extract entropy from those timers.

Did you see my e-mail with apparent bit patterns in these LSB:s? This is the 
gist of it, showing how far from a perfect distribution each 8-bit series is:

> Lowest:
>   91 / 10010001, off-by    -13, a*a =        169
>   c2 / 11000010, off-by     20, a*a =        400
>   14 / 00010100, off-by    -26, a*a =        676
>   1b / 00011011, off-by     26, a*a =        676
>   0d / 00001101, off-by     31, a*a =        961
>   c8 / 11001000, off-by     31, a*a =        961
>   90 / 10010000, off-by     35, a*a =       1225
>   26 / 00100110, off-by     56, a*a =       3136
>   96 / 10010110, off-by    -66, a*a =       4356
>   5e / 01011110, off-by    -70, a*a =       4900
> 
> Highest:
>   0f / 00001111, off-by  -3691, a*a =   13623481
>   7f / 01111111, off-by  -3752, a*a =   14077504
>   e0 / 11100000, off-by  -3754, a*a =   14092516
>   1f / 00011111, off-by  -3931, a*a =   15452761
>   03 / 00000011, off-by  -3975, a*a =   15800625
>   3f / 00111111, off-by  -4058, a*a =   16467364
>   c0 / 11000000, off-by  -4226, a*a =   17859076
>   ff / 11111111, off-by  -4319, a*a =   18653761
>   4a / 01001010, off-by   4443, a*a =   19740249
>   00 / 00000000, off-by  -5116, a*a =   26173456

I realized something a while ago but haven't had time to continue the 
analysis. If you look at the top-10 highest deviations from the expected, the 
9 that are under-represented (negative off-by numbers) have series of at least 
four repeating 1's or 0's, while the only over-represented 8-bit series 
(01001010) does not - so my circuit seems biased towards alternating bits 
rather than repeating bits. Huh.

I'm going to rerun this on shorter series of bits as soon as I get the time. I 
expect that to even more clearly show this tendency.

Anyone with ideas of the source of this? I really can't understand where this 
comes from, so my main way forward would be to experiment to see if I can 
figure it out by changing something and observing the effect.

/Fredrik