Hardware random number generator
Extremely rough draft
How do I build a good hardware random number generator?
Contents
some applications of random numbers
Perhaps the most common application of random numbers is as part of the "https://" protocol for viewing websites. It, like many cryptographic protocols, uses special "one-time" nonce numbers that ideally are generated by a hardware random number generator.
After I build a hardware random number generator, what is a good way to feed the sequence of random numbers into such applications?
radio?
A few projects#radio projects "randomly" distribute the radio energy over a wide spectrum (spread spectrum). They use something like a random number generator to pick which frequency to use at any one instant. However, as far as I am aware, such systems never use unguessable hardware random number generators, because the receiver must be able to guess the sequence of frequencies used by the transmitter (or vice-versa). As far as I know, non-military spread spectrum radios don't even use a cryptographic pseudo-random sequence, but (to make synchronization between receiver and transmitter easier and to reduce cost and simplify the hardware) always use some non-cryptographic pseudo-random sequence, often a maximum-length sequence (easy to construct with a linear-feedback shift register (LFSR)) or Gold code system.
a few more-or-less open-source HRNG designs
endolith / probably_random.ino : Arduino hardware true random number generator [2]
Sergio Callegari; Riccardo Rovatti; and Gianluca Setti.
"Embeddable ADC-Based True Random Number Generator for Cryptographic Applications Exploiting Nonlinear Signal Processing and Chaos"
[4]
[5]
[6]
"Infinite Noise TRNG (True Random Number Generator): The world's easist TRNG to get right" by Bill Cox, who gives credit to Peter Allan. [7]
DAV: Callegari's ADC-Based True Random Number Generator looks very similar to the "Infinite Noise TRNG" approach. What is the difference, if any?
Whirlygig [11]
whirlyfly
[12]
Some of these open-source hardware random number generators produce over 500 KBytes of high-quality randomness.
While pseudo-random number generators running on commodity desktop machines run many times faster, I find it hard to imagine any application for high-quality random numbers where 500 KBytes/s is "too slow".
Will Ware.
Hardware Random Bit Generator.
[15]
Hardware Random Number Generator [16] "(Yet Another) avalanche noise hardware random number generator" " ... based upon a design by Will Ware." " ... The final device, after moving the whitening logic to firmware (for completeness sake, but at a significant speed expense), achieved 9 kB/sec random data."
"The Hardware Random Number Generator" page
[17]
lots of discussion of theory.
...
"what is the best method of testing a hardware random number generator?" [18]
I hear other people say that all modern Smart Cards contain a physical hardware random number generator ( [19] ).
sources of entropy
- noise from reverse biased transistor, which apparently is due to quantum tunneling.
- oscillator jitter (which requires at least 2 oscillators to detect),
which is apparently due to thermal noise (?) (How can we tell that the 2 oscillators are actually independent, and have not accidentally become phase-locked?)
A few notes on HRNG theory
"As of 2004, the best random number generators have 3 parts: an unpredictable nondeterministic mechanism, entropy assessment, and conditioner. ... If the estimate is good, the the conditioned output bits are unbiased full-entropy bits even if the nondeterministic mechanism degrades over time. In practice, the entropy assessment is the difficult part." -- [21]
With a properly implemented randomness extractor, as long as the HRNG is in a physically secure room, most conceivable "attacks" (through-the-air electromagnetic interference, through-the-power-lines electromagnetic interference, etc.) at worst merely slow down the rate at which high-quality random bits are produced; they don't reduce the quality of whatever bits are produced. (The randomness extractor automatically compensates for any reduced quality of the internal raw data samples, throwing out "suspicious" samples).
