[Cryptech Tech] Some measurement results for FPGA with avalanche entropy source

Bernd Paysan bernd at net2o.de
Sun Sep 7 14:15:58 UTC 2014


Am Samstag, 6. September 2014, 18:25:17 schrieb Joachim Strömbergson:
> Aloha!
> 
> Bernd Paysan wrote:
> > The internal ROs won't pass dieharder without additional stuff, due
> > to the bias.
> 
> That isn't the plan either. We will probably have entropy access ports
> even in the first iteration. But I assume Randy meant being able to run
> Dieharder on the output from the csprng. Just to be able to show that we
> can deliver a working TRNG.

Sure, but there is still the open question how to convince others that the 
entropy is "good". Chacha's output certainly will pass dieharder, but it will 
do so without any entropy.

Therefore, the goal should be that with some simple circuitry, the noise 
sources should be converted into "pure" entropy, i.e. something that passes 
dieharder without cryptographic primitives.  For the avalance diodes, the von 
Neumann extractor works; for the ring oscillators, we need something else.

> > I've been thinking about mixing them all together through one LSR,
> > which would work like this, with ro being 32 ring oscillator outputs
> > (flip- flops, sampled each cycle):
> > 
> > reg [31:0] mix;
> > 
> > always @(posedge clk) mix <= ro ^ { mix[30:0], ~mix[31] };
> > 
> > and sampling mix every multiple of 64 cycles (better accumulate for
> > 128 cycles).
> > 
> > This function eliminates biases (after 64 rounds, we have 32 inverted
> > and 32 non-inverted samples xored together in each bit), and still is
> > simple enough that all real failures of the ring oscillators (like
> > aligned oscillation or insufficient jitter) will show up.
> 
> Cool. I'll try to implement and test that.

We probably also need some sort of health monitoring for the ROs - check that 
their bias is below a certain threshold or so.  This mixer can hide some 
defective ROs, by xoring good entropy over bad.  Since health monitoring of a 
ring oscillator is way more expensive than the ring oscillator itself, I 
suggest to have one health monitor and a multiplexer to feed one RO after the 
other into the health monitor.  That would e.g. count 256 samples, and pass if 
the count result is between 96 and 160.

-- 
Bernd Paysan
"If you want it done right, you have to do it yourself"
http://bernd-paysan.de/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.cryptech.is/archives/tech/attachments/20140907/e87811e6/attachment.sig>


More information about the Tech mailing list