Re: [cryptography] True RNG: elementary particle noise sensed with surprisingly simple electronics
Thank you for this quick feedback.
On 15/09/16 09:04 PM, d...@deadhat.com wrote:
Hi!
A true random number generation strategy is no better than its
trustworthiness. Here is a suggestion for a simple scheme which rests on
a common digital electronic design.
[...]
Unavoidable current noise source:
- thermal noise
- excess current noise caused by the above resistor material
construction
Noise sources to be reduced (as a matter of sampling approach coherency)
- electrostatic ...
- electromagnetic ...
Any thoughts?
Yes.
A) Can you build 100,000,000 and expect them all to work?
No. The stated goal is to provide some scheme that a few wise guys may
trust. So, building 20 units and having you as a satisfied user would be
a more realistic goal. Microsoft and Apple seem to be trusted by the crowd.
B) Can you expect the those 100,000,000 resistors to behave in a
consistent manner or will the supplier switch compounds on you while you
aren't looking. If you try and buy a paper-oil cap today, you'll get a
poly pretending to be paper-oil. I assume it's the same for obsolete
resistor compounds.
This brings the question of characterization of cheap material procured
from the mass market channels. Obviously it is part of the detailed
crafting process.
Realistically, one would be able to avoid the trouble here, e.g. by
buying a few rolls of 5000 resistors from a few manufacturers.
C) What are the EM injection opportunities to measured noise? Can you
saturate the inputs?
Also part of the implementation details to watch. This small circuit may
be located in a Faraday cage. Hopefully its internals will remain tamper
evident for a very paranoiac user.
About input saturation, the expected result of experimentation (with
analysis) is some confidence that current noise is the main source of
data fluctuation (I do not state which statistic to apply here for "data
fluctuation"), and then EM could hardly induce the relevant resistor
currents without e.g. a large coil within a short distance. Admittedly,
this is not a definitive answer for a very paranoiac user.
Do you have a scheme overall immune to EM injection opportunities? Is
the complexity of this scheme such that every external influence
opportunities may be ruled out?
D) How are you planning to characterize the min entropy of the source? We
know the min entropy of well defined Gaussian noise, but what about shot,
1/f and all the other weird distributions?
D_a) Can you distinguish that noise from system noise that might be
systematic rather than entropic.
Two aspects: entropy and the inherently compound measurement of multiple
(and little understood) noise source ("noise from system" might be
rather vague for a physicist).
About compound measurement, careful crafting of the wheatstone bridge
(and its excitation voltage source) is expected to provide some
assurance that current noise (thermal noise and excess current noise
from resistor material properties) is the foremost contributor to data
fluctuations.
Min entropy characterization: no definite plan. The raw 24 bits samples
will be available for attempts at distribution characterization. I
suspect however that a paranoiac user will fear that after gigabytes of
data fed to the characterization process, the source might suddenly turn
low entropy when the data is switched to the cryptographic random secret
generation process.
E) Do you have an extractor algorithm in mind that is proven to work at
the lower bound for the min entropy you expect from the source?
I might have ideas in this area of concern but "proven extractor
algorithm" is something orthogonal to the source: a proven algo would
have its proof for a given "min entropy" abstract concept.
F) Are you wanting computational prediction bounds at the output of the
extractor or do you want H_inf(X) = 1.
F_1) If you want the entropy answer, then you need to consider multiple
input extractors.
F_2) Oh, and quantum-safe extractors are a thing now.
These questions, which I do not understand fully, would be orthogonal to
the source.
G) Are any certifications required. In my experience P(Y) -> 1 as t ->
infinity. Projects who swore up and down that they weren't doing FIPS
would come back 2 years later, with a finished chip and ask "Can this be
FIPS certified", after a customer made their requirements clear.
This question need not be addressed now ( P(Y) unknown as t=0! ).
That's my usual list of questions. They may or may not apply to your
situation.
Thanks for sharing this.
- Thierry Moreau
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] True RNG: elementary particle noise sensed with surprisingly simple electronics
> Hi! > > A true random number generation strategy is no better than its > trustworthiness. Here is a suggestion for a simple scheme which rests on > a common digital electronic design. > [...] > Unavoidable current noise source: > - thermal noise > - excess current noise caused by the above resistor material > construction > Noise sources to be reduced (as a matter of sampling approach coherency) > - electrostatic ... > - electromagnetic ... > > Any thoughts? > Yes. A) Can you build 100,000,000 and expect them all to work? B) Can you expect the those 100,000,000 resistors to behave in a consistent manner or will the supplier switch compounds on you while you aren't looking. If you try and buy a paper-oil cap today, you'll get a poly pretending to be paper-oil. I assume it's the same for obsolete resistor compounds. C) What are the EM injection opportunities to measured noise? Can you saturate the inputs? D) How are you planning to characterize the min entropy of the source? We know the min entropy of well defined Gaussian noise, but what about shot, 1/f and all the other weirdy distributions? D_a) Can you distinguish that noise from system noise that might be systematic rather than entropic. E) Do you have an extractor algorithm in mind that is proven to work at the lower bound for the min entropy you expect from the source? F) Are you wanting computational prediction bounds at the output of the extractor or do you want H_inf(X) = 1. F_1) If you want the entropy answer, then you need to consider multiple input extractors. F_2) Oh, and quantum-safe extractors are a thing now. G) Are any certifications required. In my experience P(Y) -> 1 as t -> infinity. Projects who swore up and down that they weren't doing FIPS would come back 2 years later, with a finished chip and ask "Can this be FIPS certified", after a customer made their requirements clear. That's my usual list of questions. They may or may not apply to your situation. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
[cryptography] True RNG: elementary particle noise sensed with surprisingly simple electronics
Hi! A true random number generation strategy is no better than its trustworthiness. Here is a suggestion for a simple scheme which rests on a common digital electronic design. While helping an undergrad student in a weight scale project, I encountered an A-to-D conversion circuit datasheet where some fundamental noise was explicitly quantified. After a little research, I learned that a foremost unavoidable noise source is resistor "current noise" (i.e. occurring due to an elementary physics phenomenon): Thick-film resistors are made of a mixture of conductive particles (metallic grains) with a glassy binder and an organic fluid. This “ink” is printed on a ceramic substrate and heated in an oven. During this firing process the conductive particles within the glassy matrix are fused to the substrate and form the resistor. [All types of resistors] have in common that the total noise can be divided into thermal noise and excess noise. Excess current noise is the bunching and releasing of electrons associated with current flow, e.g. due to fluctuating conductivity based on imperfect contacts within the resistive material. The amount of current-noise depends largely on the resistor technology employed. [T]hick film resistors show large excess noise. Source: Frank Seifert, "Resistor Current Noise Measurements," April 14, 2009 The classical weight scale design is based on an 24 bits A-to-D (analog to digital) conversion with the sensing circuit made of a wheatstone bridge (a simple resistor network arrangement) that amplifies minute variations in individual resistor voltage caused by strain gauge deformation (a small directional stress on a strain gauge induce a change in resistor value). The basic idea of turning this classical design into a true noise sensing application is this one: replace the (minutely) variable resistor by a fixed resistor with a high noise level. The surprisingly simple electronics is illustrated by two A-to-D integrated circuits (Avia Semiconductor HX711 and Texas Instrument ADS1232) and the open hardware design for a weight scale microprocessor board (SparkFun OpenScale). Obviously the evil is in the details, and some refinements are desirable since a) the noise sensing application is better served with a larger signal amplification, and b) the confidence in the noise sampling approach is (presumably) raised if noise sources other than current noise are reduced with appropriate circuit design techniques. But none of this is rocket science (e.g. compared with other elementary physics noise sampling such as so-called quantum noise generators). Unavoidable current noise source: - thermal noise - excess current noise caused by the above resistor material construction Noise sources to be reduced (as a matter of sampling approach coherency) - electrostatic ... - electromagnetic ... Any thoughts? Regards, - Thierry Moreau ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
[cryptography] What the World's First Quantum Satellite Launch Means
http://fortune.com/2016/08/16/china-quantum-satellite-launch/ That’s one small step for man, one quantum leap for China. China blasted the world’s first quantum communications satellite into orbit from the Gobi Desert early Tuesday. The project signals the dawn of a potentially game-changing communications technology: quantum key distribution—a dependable system for exchanging secrets (more on this in a bit)—as beamed from space. If the experiment is successful, it could lead to considerably more secure global communications. While many news outlets have followed Chinese state media’s cue and described the technology as “hack-proof,” a more appropriate descriptor would be “tamper resistant.” (Nothing is “hack-proof.”) Quantum crypto-systems achieve this by exploiting the quirky properties of subatomic particles Here’s how the science works. The fundamental problem of cryptography involves exchanging keys—secret alphanumeric strings—that enable people to encode and decode messages. When two parties swap keys, they normally have no indication whether anyone has intercepted them; an interloper with stolen keys can eavesdrop on correspondence or manipulate it. When quantum science is applied, the keys can be made to self-destruct or change if a third party interferes with their transmission. The keys are sent using pairs of entangled photons, or light particles that share a special bond, to carry the information. The Wall Street Journal quoted an executive familiar with the technology as comparing it to “sending a message written on a soap bubble.” Touch, and it pops. The technology is defensive in nature. China, which has increased funding for basic science research in this area over the past few years (likely in response to revelations about other countries’ hacking capabilities) played that aspect up by naming the satellite Micius in honor of an ancient Chinese philosopher who preached a philosophy of “universal love.” Dubbed Quantum Experiments at Space Scale, the Chinese experiment is not the first time quantum key distribution has been attempted. Ground-based fiber optic networks have successfully transmitted quantum keys in the United States, Europe, and China. Other countries like the U.K. and Singapore have smaller experiments in the works. Bringing this quantum technology to a satellite network will be a grand feat, however. The team, led by Pan Jianwei, said they would attempt to transmit quantum keys from Beijing to Vienna to test the system’s feasibility. The experiment of beaming finicky particles over vast distances will be tricky. Yet it could vault China over the international competition in counter-surveillance tech if it does succeed. For space-based quantum cryptography, the race is on. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
