[Cryptech Tech] Maurer's Universal Test for Randomness

[Bill Cox]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/15/2014 06:46 AM, Joachim Strömbergson wrote:
> Aloha!
> 
> While reading a protocol spec at work I found a reference to the 
> following paper. The paper describes a universal test for
> randomness (and the protocol spec requires any source for random
> numbers used for key generation to be tested with this test):
> 
> http://www.jscoron.fr/publications/universal.pdf
> 
> (Love the way the paper uses comments on IACR bylaws etc.)
> 
> I haven't seen this test being mentioned before, esp not as a 
> requirement for keys.
> 
> Benedict and Bernd? 
> _______________________________________________ Tech mailing list 
> Tech at cryptech.is https://lists.cryptech.is/listinfo/tech
> 

Hi, guys.  I'm new to this list, and may not have much time I can
commit to it, but I saw in the mail archive some discussion about an
avalanche based TRNG.  That's probably fine, assuming there's no need
for higher bandwidth data.  Two thoughts on it... First, I was able to
get the data rate to 500Kb/s by adding an 8-bit 40-MHz A/D converter
rather than just a comparator against 0.  The signal wasn't moving
that fast, but the LSBs were still highly unpredictable.  I XORed it
down 80-to-1 to generate the output.  That was back in 1998, I think.

If I were doing it today, I would consider building a hardware Keccak
(SHA3 winner) sponge to provide the whitened data, rather than mux-ing
it down like I did.  The sponge sucks data in at whatever rate your
TRNG runs, and spits out cryptographically pseudo-random data at
whatever speed you want.  It is the most silicon-friendly
cryptographically strong hashing algorithm I have ever read about.  It
should work quite well in an FPGA.  I just reviewed it's design, and
while I'm no hashing expert, I'm convinced it is secure (but don't
take my word for it).

I also like some newer TRNG architectures.  One I've been wanting to
build I call the "Infinite Noise Multiplier", but I haven't designed
one for a board-level project yet.  It certainly will be more complex
than using zener avalanche noise, so likely not a good match.  With a
Keccak sponge in an FPGA, I don't think there's any real need for high
bandwidth true random data, so long as the TRNG seeds the sponge well.

Bill
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJUFzR+AAoJEAcQZQdOpZUZtzoP/3gz9sWZbGWKwBRhNKch8GVl
ghhC0FiE8KkDjKrkYMBHxOdzXihCIkC03tgWm3HHwGC9QispNYi3VC/n7hjRfC50
LaDVdsZgEvmmRTJDmR9ZCfI9Cnnyuq18wzkKp+pHkZZfnWMspp/hrohnE6QL4gmD
Leg0WwhKGRXenXgEEwiQNJ5L+JJsDi9FEEyswPdaZu8MsnkwvyAkB7U42d45QZFe
hV51tUUK0Bv9BSBrOqMq+/ApGAn/2kTwqkKRBQPVFELiwbkcr4kTWCqx8NTIVf60
KtHcpX7Toyyt94fAcWSaRXOGBM3QzM21NtM6ECo7062Vs8ax/fDAka9Qjv0govDd
yjINQsVWhUwVKKPcxZ7Vjx7cWAGxqh7l/jt7WRlBjTP79hp/xCRDxpH/nlD8GLPa
o5DJuY4Xc/N7yB/Q/S6nTHS01C68gShCq+KRjJ6oAd0jGj9tNDvwbo3gx7a1YsXh
9rsjmammaJON/CWNZjIPA8E9jMUj/yjfV69GJPuUOKJWz2xrdWuhzoeDmUpUOE9B
L2Pkf43urs7rh9nOP8wqKR4RNFETiXbQTNWxVcv4rGluL0tH7P36XSsOm06qpKrK
eL6IgRpYP0O5+jAhkYp0TJXvrVfCsT7iwJVMiLjSC21zGChKv9bXQCHLz2rsLWK6
w/w7H6S6jgkyj1ALb97I
=jELO
-----END PGP SIGNATURE-----