[Cryptech Tech] Maurer's Universal Test for Randomness

[Joachim Strömbergson]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Aloha!

Hi Bill! Great to see you on the list, and welcome to Cryptech!


Bill Cox wrote:
> I also like some newer TRNG architectures.  One I've been wanting to 
> build I call the "Infinite Noise Multiplier", but I haven't designed 
> one for a board-level project yet.  It certainly will be more
> complex than using zener avalanche noise, so likely not a good match.
> With a Keccak sponge in an FPGA, I don't think there's any real need
> for high bandwidth true random data, so long as the TRNG seeds the
> sponge well.

The current TRNG design we have today have three main stages:

(1) Entropy providers. Each provider contains the functionality to
generate entropy based on some source. Currently we have one provider
based on avalanche noise and one based on ring oscillators inside the FPGA.

(2) The mixer. The mixer pulls available entropy from the providers and
collects them into 1024 bit blocks. The collection is done in strict
round robin fashion, which means that even though the ring oscillator
can generate much more entropy than the avalanche noise based provider,
they provide the same amount of entropy.

The 1024 bit block is fed into SHA-512 which generates a digest of 512
bits which is used as seed. And actually we run SHA-512 twice with 1024
bit entropy added each time in order to get in total 2x512 bits of seed.
This means that we need in total 2048 bits of entropy everytime we do
reseeding. For the first, cold start reseed this takes less than a
second. For the next reseed when the entropy sources have been able to
work independently it is much faster (the entropy sources have (or will
have) fifos). The 1024 bit seed is then given to..

(3) The CSPRNG. This is the part that generates the random numbers
provided to applications. The CSPRNG is basically the stream cipher
ChaCha. The differences with vanilla ChaCha and our version is that the
64 bit counter initial value is not all zero, but taken from part from
the seed. And that we do 24 rounds, not 20 (or 12 or 8). In total we use
512 + 256 + 128 = 896 bits of seed to initialize the CSPRNG.

Using ChaCha allows us to generate huge amounts of random data with high
performance at low clock frequencies in the FPGA. (ChaCha being an ARX
design is very compact and efficient in HW.) Also it allows users to
trade between security and speed by increasing/decreasing number of
rounds. Our 24 rounds is very conservative. Yet we can do about 500 Mbps
@ 50 MHz in an Altera Cyclone IV device. (I'm running it on a TerasIC
DE0-Nano board).

We could generate 2**64-1 512 bit blocks of random data before
reseeding. Currently though the build time define sets this a fair bit
lower. There is also an API to allow the user to set the automatic
reseed to any value lower than the build define value. And you can
always just write to the control bit that forces reseed.

Currently there are debug access via the API to get raw data from the
entropy sources, but no test seed or debug mode. It will be there in the
future.

- -- 
Med vänlig hälsning, Yours

Joachim Strömbergson - Alltid i harmonisk svängning.
========================================================================
 Joachim Strömbergson          Secworks AB          joachim at secworks.se
========================================================================
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBCAAGBQJUF9ztAAoJEF3cfFQkIuyN2DgQAL5UkDBcHwe6wtmeuDooRsiC
CTDPKYD+YuKsrEOyU20ZajVOTZ2PFavyij1mkkxZA8EqMk1kch/osTjJ/QnEl2Dg
ylt58tonfpQDmmdaIgdUQyEvmi12O/647yJvrum5pRq9x3hEeu9NWW20ihjyEmBO
a3WPptWMFntsdNiAHkNPNTNOXEma9d1JsD/KnYTVvOeJ1ynH9jLf5W+J7k+rLUOU
ljGx2SLMb64cruN/ITo12nBLNjwyoI5ZaI/lGDlP+7kRfeMWciJXrOw+Dog0CkfZ
yv1IGa6OLHG9O/ApGGxYp09MgosaLIP5dXC5oohhp9YdFTR8VqjoDl9vARzpP7qm
x5yfdpvhsxj7wh7pYnP7S8m3vz6q8SI7mueuFkdPhwnovwZ+2mzEulMM8A6SOA8J
gpQ4psO9FUhpoOWYp7hdKr5Bf4izWEuhfuC67Ie3yLZjaUIf5yGrtFUEbQBgfC2F
S6tJ9d+k2fUD2cDZCFKryrgX6DVruoLOury3PWokdsBT8Acy6MfwZx6CV55es2D3
C8YP8dWwqCrei8R2Y9YgtNTj+nrmdW0qmdvnrw9K20fJViPUQXFNRqyWrm1ME4of
3b/fek9oVYqenTU+Tz+EkJ1ltExUevm1z339yVRocNtSvV0LVGzgg8+avg4tpIjW
JVstZL8RfcFcoGEIJcFn
=BQx0
-----END PGP SIGNATURE-----