[148421] in cryptography@c2.net mail archive
[Cryptography] An alternative electro-mechanical entropy source
daemon@ATHENA.MIT.EDU (Arnold Reinhold)
Thu Dec 12 13:15:53 2013
X-Original-To: cryptography@metzdowd.com
From: Arnold Reinhold <agr@me.com>
Date: Thu, 12 Dec 2013 06:44:43 -0500
To: Cryptography <cryptography@metzdowd.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
--===============8438485650516945743==
Content-type: multipart/alternative;
boundary="Apple-Mail=_B240D009-A1B6-4D50-A61B-BC959492EBF8"
--Apple-Mail=_B240D009-A1B6-4D50-A61B-BC959492EBF8
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=us-ascii
On 10 Dec 2013 16:26, Bill Cox wrote:
> ... I took a good=20
> look at Intel's hardware random number generator source. There's a =
paper=20
> analyzing it here:
>=20
> http://www.cryptography.com/public/pdf/Intel_TRNG_Report_20120312.pdf
>=20
> The basic idea is that back-to-back inverters, when powered on, flip =
one=20
> way or the other randomly, sort of like DRAM memory when our =
computer's=20
> power on. By powering on a single pair of back-to-back inverters over=20=
> and over, they can generate a random bit per cycle, at about 3=20
> Giga-bits/second, which is amazing! ...
My problem with the Intel design is that there is no way to audit it. =
The paper Bill cited points out that there is no access to the Intel =
entropy generator from software in production parts. All collected =
entropy is processed on-chip by a complex testing and whitening circuit =
that includes an AES-based RNG. There is plenty of room here to hide a =
way to restrict the entropy of generated bits in chips made for selected =
customers, or via some hidden command. Such a cooked chip would produce =
output indistinguishable from true random bits.
The Intel design completely misses the mark, in my opinion. For =
cryptographic security we don't need gigabits/second, we just need a =
couple of hundred bits of entropy we can trust to seed a strong =
deterministic RNG. And more than one source of entropy, preferably of =
different design, should be required for any system generating =
cryptographic keys.=20
Here is an idea I have been playing with to provide a slow but auditable =
source of entropy.
I propose combining an accelerometer chip to collect entropy with a =
vibration motor of the type used in cell phones. For those not familiar =
with the later, they consist of a small motor with an unbalanced weight =
on the armature. Here is a drawing of one =
http://www.puiaudio.com/pdf/MV4020-13HL-LWC38-R.pdf. Sealed coin types =
are also available, e.g. http://www.adafruit.com/products/1201. =
Accelerometer chips are available with a two-wire I2S bus for reporting =
data and are easy to interface to simple microprocessors. Both the =
accelerometer chips and the vibration motors are made in huge quantities =
and cost under a dollar in quantity. They can be audited separately. =
The items could be mounted on the mother board, daughter board or a USB =
dongle. =20
In operation, a few seconds of accelerometer readings would be collected =
with the motor cycling on and off. The readings would be analyzed in =
software for acceptable statistical properties and then hashed to =
provide the the random bits. The process could be repeated at intervals =
to stir the RNG state.
There may well be enough mechanical uncertainty and measurement noise =
just in combining these two elements, but for extra credit, one could =
attach to either item or to the circuit board on which they are mounted =
a "rattle" consisting of one or two loose objects in a small box, =
perhaps made of clear plastic or with a clear window for visual =
inspection. The objects might be a ball bearing or a small pebble of =
gravel, say, quartz, or one of each. A pebble would provide a physically =
un-cloneable element. The rattle would be completely mechanical, but =
could be designed with solderable leads for automatic part placement =
machines, or it could be epoxied in place. It would be possible to =
immobilize the rattle with a magnet if ferrous ball bearings are used, =
or in a centrifuge. This could be useful for testing and it should be =
possible for software to distinguish the proper operation of the rattle =
statistically.
This entropy generator would be cheap, simple and low-tech, with little =
room to hide back doors.=20
Arnold Reinhold
--Apple-Mail=_B240D009-A1B6-4D50-A61B-BC959492EBF8
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
charset=us-ascii
<html><head><meta http-equiv=3D"Content-Type" content=3D"text/html =
charset=3Dus-ascii"></head><body style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: =
after-white-space;"><div>On 10 Dec 2013 16:26, Bill Cox =
wrote:</div><div><br></div><blockquote type=3D"cite">... I took a =
good <br>look at Intel's hardware random number generator source. =
There's a paper <br>analyzing it here:<br><br><a =
href=3D"http://www.cryptography.com/public/pdf/Intel_TRNG_Report_20120312.=
pdf">http://www.cryptography.com/public/pdf/Intel_TRNG_Report_20120312.pdf=
</a><br><br>The basic idea is that back-to-back inverters, when powered =
on, flip one <br>way or the other randomly, sort of like DRAM =
memory when our computer's <br>power on. By powering on a =
single pair of back-to-back inverters over <br>and over, they can =
generate a random bit per cycle, at about 3 <br>Giga-bits/second, =
which is amazing! ...</blockquote><br><div>My problem with the Intel =
design is that there is no way to audit it. The paper Bill cited =
points out that there is no access to the Intel entropy generator from =
software in production parts. All collected entropy is processed on-chip =
by a complex testing and whitening circuit that includes an AES-based =
RNG. There is plenty of room here to hide a way to restrict the entropy =
of generated bits in chips made for selected customers, or via some =
hidden command. Such a cooked chip would produce output =
indistinguishable from true random bits.</div><div><br></div><div>The =
Intel design completely misses the mark, in my opinion. For =
cryptographic security we don't need gigabits/second, we just need a =
couple of hundred bits of entropy we can trust to seed a strong =
deterministic RNG. And more than one source of entropy, preferably of =
different design, should be required for any system generating =
cryptographic keys. </div><div><br></div><div>Here is an idea I =
have been playing with to provide a slow but auditable source of =
entropy.</div><div><br></div><div>I propose combining an accelerometer =
chip to collect entropy with a vibration motor of the type used in cell =
phones. For those not familiar with the later, they consist of a small =
motor with an unbalanced weight on the armature. Here is a drawing of =
one <a =
href=3D"http://www.puiaudio.com/pdf/MV4020-13HL-LWC38-R.pdf">http://www.pu=
iaudio.com/pdf/MV4020-13HL-LWC38-R.pdf</a>. Sealed coin types are =
also available, e.g. <a =
href=3D"http://www.adafruit.com/products/1201">http://www.adafruit.com/pro=
ducts/1201</a>. Accelerometer chips are available with a two-wire I2S =
bus for reporting data and are easy to interface to simple =
microprocessors. Both the accelerometer chips and the vibration motors =
are made in huge quantities and cost under a dollar in quantity. =
They can be audited separately. The items could be mounted on the =
mother board, daughter board or a USB dongle. =
</div><div><br></div><div>In operation, a few seconds of =
accelerometer readings would be collected with the motor cycling on and =
off. The readings would be analyzed in software for acceptable =
statistical properties and then hashed to provide the the random bits. =
The process could be repeated at intervals to stir the RNG =
state.</div><div><br></div><div>There may well be enough mechanical =
uncertainty and measurement noise just in combining these two elements, =
but for extra credit, one could attach to either item or to the circuit =
board on which they are mounted a "rattle" consisting of one or two =
loose objects in a small box, perhaps made of clear plastic or with a =
clear window for visual inspection. The objects might be a ball bearing =
or a small pebble of gravel, say, quartz, or one of each. A pebble would =
provide a physically un-cloneable element. The rattle would be =
completely mechanical, but could be designed with solderable leads for =
automatic part placement machines, or it could be epoxied in place. It =
would be possible to immobilize the rattle with a magnet if ferrous ball =
bearings are used, or in a centrifuge. This could be useful for testing =
and it should be possible for software to distinguish the proper =
operation of the rattle statistically.</div><div><br></div><div>This =
entropy generator would be cheap, simple and low-tech, with little room =
to hide back doors. </div><div><br></div><div><br></div><div>Arnold =
Reinhold</div><div><br></div><div><br></div></body></html>=
--Apple-Mail=_B240D009-A1B6-4D50-A61B-BC959492EBF8--
--===============8438485650516945743==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
--===============8438485650516945743==--
