On Oct 18, 2013, at 12:16 AM, Cathal Garvey (Phone) <[email protected]> wrote:
>> Accepted, entirely, but if "noisy diodes" are all you need for quantum >> entropy, why are designs for OSHW entropy generators so scarce? I suggested >> smoke alarms not through radioactivity-fetishism but because of ubiquity and >> low cost, likely low difficulty to adapt. >Because people think that over-the-top is necessary. >Perhaps more to the point, people start gilding the lily, and then worrying >about how pure the gold is on the lily, and then deciding that the gilt on the >lily needs to be mono-atomic and to form a single crystal. >Even more to the point, they start thinking in their heads that they will be >criticized for not having a single-crystal structure on the gilt on their >lily, and give up. >After that, they criticize other people who grow lilies because -- heck, >anyone can do that, and years ago, they gave up on lilies because of how hard >it is to get mono-crystalline gilt. Go look it up in the cypherpunks archives, >for pete's sake. Nicholas Bourbaki discussed it to death there back in '92. >Building a good RNG is both simpler than you think and harder. You need: >* An unguessability source. It doesn't have to be as good as you think it >does. If it's crap, you just need more. It just has to be unguessable. The deterministic process going on on my LAN might be good enough. It might not. What matters is the work factor of guessing. A few weeks ago I posted a cite which referred to a RNG. (actually three cites; one of them was this). One of them consisted of a number (I'd choose 4, arbitrarily) of 'ring oscillators' (an odd number of digital inverters connected in a loop; I'd choose 7, 11, 13, and 17 inverters, being primes and unlikely to synchronize) which were each tapped at some point, feeding 2-input XOR (exclusive-or) gates, and those XOR outputs themselves being XOR'd together. The output would feed the D input of a D-flip-flop, and that would be clocked via a signal synchronized with the (external) CPU clock. (A read signal, presumably). It could be built in relatively old technology (250 nanometers) with inverter delays of about 20 picoseconds, so the frequencies seen in the oscillator taps would be about 4/2.5/2.1/1.6 gigahertz. Such a device could probably be accessed (clocked by the D-flip-flop) at 100 MHz, which is a far greater rate (100 megabits/second of random bits) than most systems would need. Such a system might have a little bias, perhaps leading to there only being 0.9 bits of entropy in each bit, but as a source of entropy that would be okay. A somewhat more complex chip could store thousands of bits, perhaps with a microprocessor to monitor randomness and/or produce a truly random output. A logical company to build such a thing would be Texas Instruments, which was big on TTL (SSI, MSI, LSI, VLSI) even in the early 1970s, or any one of a few dozen other glue-logic manufacturers. Target price: 50 cents in 1000's. Jim Bell
