[Gnuk-users] TRNG output

NIIBE Yutaka gniibe at fsij.org
Tue Aug 25 08:32:23 UTC 2015 

Hello,

Fix to the last message of mine:
While the thesis I referred is good to read (because it explain
many related things), I should have referred this paper for the
specific idea of use of ADC component as a source of entropy:

    Fabio Pareschi, Gianluca Setti, Riccardo Rovatti
    A Fast Chaos-based True Random Number Generator for Cryptographic Applications
    http://www.researchgate.net/publication/224056101_A_Fast_Chaos-based_True_Random_Number_Generator_for_Cryptographic_Applications


On 08/25/2015 04:23 PM, Kurt Roeckx wrote:
> On Tue, Aug 25, 2015 at 02:32:17PM +0900, NIIBE Yutaka wrote:
>>
>> With the tab 'Design Resources' clicked, you will find the document
>> RM0008, which is the reference manual (CD00171190.pdf).  In the chapter
>> 11, ADC is described.
> 
> I found the various manuals and found that it's SAR ADC which I
> was expecting because of the results I saw.

Yes.

The reference manual says in "11.1 ADC introduction" (page 214):

    The 12-bit ADC is a successive approximation analog-to-digital
    converter.

Yes, observed value change of sample data comes because of the
architecture of ADC.

>> Formal model of this sampling data could be built easier if
>> DELIBARATELY_DO_IT_WRONG_START_STOP is disabled and we only use LSB of
>> each sample.
> 
> If you only use the LSB I think you're throwing away too much of
> the entropy.

Yes.  In the current implementation, I use all the bits (to feed to
CRC32 and SHA-256 conditioning, in case of filtered output).  I "buy"
it in the belief that it was/is genuine somehow.  I mean, it changes
unexpectedly, it is not predictable, it is not controlled and it is
not (easily) possible to control its value from outside.

The reason why I suggested "we only use LSB of each sample" is for
formal modeling of NeuG.  It makes formal modeling easier.  I don't
know if such formal modeling is needed or not.

My point is that ADC sampling itself can be source of entropy.  To
support this point, I refereed Fabio Pareschi.  Their idea is using
ADC component (not the ADC itself, a building block of ADC) as ASIC or
LSI to implement TRNG, so, this is not directly related to NeuG (which
use existing SAR ADC on a chip).


Since I don't have enough capability to describe whole the process of
analog-to-digital conversion and its use by NeuG accurately, I explain
as "NeuG is based on the sampling noise of ADCs".  Improvement for this
expression is welcome.

> I also think usign the CRC32 step isn't a good thing.

Thanks for your opinion.  If we follow the draft standard of NIST SP
800-90B (or any practice like that), CRC32 filtering would/should be
removed.  It is added as pre-filter in front of SHA-256 conditioning
component.  It is done in this way, because SHA-256 computation is so
expensive on the board, while we have CRC32 unit available.  Filtering
through CRC32 unit, we can compress the bandwidth to SHA-256, that is
the intention of mine.

Beside, SHA-256 conditioning component would be overkill, if the usage
is mixing those kind of inputs into /dev/random on host.  Simple
conditioning by CRC32 would just work.


> The best paper I could find on how I would like to do it is:
> http://www.av8n.com/turbid/paper/turbid.htm

Thank you for the reference.  I will read.
--

More information about the gnuk-users mailing list