[Cryptech Tech] never do in software what can be done in hardware

[Benedikt Stockebrand]

Hi Fredrik and list,

> I got one of Benedikts ARRGH boards earlier this week (very nice, both the 
> board and that you got me one),

no worries, I've only been after your feedback anyway:-)

> My design still looses ent's approval after about 100 MB of data, and the 
> arithmetic mean doesn't end up that close to 127.5 so clearly the entropy 
> output is less with my design than with the ARRGH.

The good news here is that the analog part of the circuit is reasonably
difficult to subvert, so you might just use it with your digital
backend, which is in much more need of diversification anyway than the
analog part.  If you use a voltage divider you should be able to feed
the analog signal straight into your MCU.

That said, even if the analog side was bad, the subsequent digital part
should ensure that it is mangled into pure entropy---not necessarily if
only fed into a CSPRNG as seed, but if used otherwise.

> 2. Comparing the amplified noise from my design and Benedikts shows that my 
> noise is... duller than Benedikts. See attached screenshot - my noise in 
> yellow and Benedikts in blue.

I've spent quite some time tweaking the various parameters with the
generator core (Zener and first transistor); maybe you want to take a
closer look at it?

> It turns out that the +-5V I got from my charge pump is perhaps a little less 
> than ideal. If I increase that to 12V I get comparable noise output. I don't 
> know if this affects the entropy yet, but I'd say that it at least reduces the 
> entropy frequency. This is probably at least a significant factor for ARRGHs 
> higher output rate.

Actually, what I found was that the voltage significantly influences the
amplitude (no surprise here) and to some degree the frequency spectrum
as well; the latter is because the junction will be depleted of movable
charges more quickly if the current is higher.

On the other hand, turning up the voltage increases the power
consumption faster than the throughput, so going for a higher voltage
will eventually lead to a situation where the device needs more current
than a USB port is designed to deliver (i.e. 100mA without previous
negotiation with the host).

> (the blue data is actually ARRGH noise amplified by one of my amplifiers - 
> that's why both are 3V3 although the ARRGH board is a 5V circuit).

Hmm, could you try to re-run that using a voltage divider instead?

> 3. The ARRGH board is really much faster than mine. Almost 10x. Faster output 
> means less waiting when testing, so is better - at least if it doesn't come at 
> a price of entropy quality (which number 1 says it doesn't - at least not in 
> this comparision).

It still takes roundabout 10 days to gather enough data for a full
dieharder run---better than three months, but still rather tedious...

> Even worse, when I increased the frequency of the noise (by using external 12V 
> instead of the +-5V) and had some fast polling code in place the delta (length 
> of pulses measured in tight loop counts) got down to < 16, with a bias for 
> even/uneven bits of about 5%. A von Neumann extractor only deals with bias in 
> consecutive bits, and was not able to "heal" such biased input.

I can't follow you there; have you tried with a von Neumann extractor?

> That's when I realized there is a timer operation called "capture" which seems 
> ideal for this use case. When a state transition is observed on an input pin 
> (i.e. noise goes from low to high, high to low or both), the MCU will actually 
> "freeze" the 16 MHz counter value into a register in hardware that I can busy-
> wait looking for.

That sounds rather good; only downside is that if we use these sorts of
features it will be more difficult to diversify to different MCU
architectures.

> I extracted 646k timer deltas, and they look plausibly good to me, although 
> more data is needed to be conclusive. The X axis of the attached graph is the 
> delta between two consecutive transitions measured in 16 MHz steps.

That's still rather slow---I have less than 50 clock cycles on average
per noise bit read.

> I suspect that I might have to add an external oscillator in the end anyways. 
> In the last hour or so, I've extracted about 10MB of data from two units of my 
> design. One of them with a 2N3904 transistor as entropy source, and the other 
> with the ARRGH board TP5 as source. Oddly enough, 'ent' is happy with the 
> entropy extracted from "my" noise (50.0%), but not-so-happy about the ARRGH 
> noise (0.01%).

That's rather weird; my guess is that the way you process the data in
the MCU isn't entirely up to the job if the input is close to MCU speed,
but it still seems funny.

> Maybe this is an early sign that the 16 MHz generated using the DCO in my 
> msp430 isn't good enough to get the best possible entropy quality output, or 
> maybe the jumper wire adds interference but I'll extract more data first.

You've seen the test setups I've used; jumper wires do have an effect,
but it's not all that bad, really.


Cheers,

    Benedikt

-- 
Benedikt Stockebrand,                   Stepladder IT Training+Consulting
Dipl.-Inform.                           http://www.stepladder-it.com/

          Business Grade IPv6 --- Consulting, Training, Projects

BIVBlog---Benedikt's IT Video Blog: http://www.stepladder-it.com/bivblog/