Peter Monta writes:
But how wrong is wrong? Unless the design is catastrophically bad, a zener source is going to give you zener noise plus some slight admixture of interference. Say the designer is extremely careless and there's deterministic interference 20 dB down. I don't see how even that matters cryptographically---the resulting loss in entropy will be millibits per sample.
[lots elided] As a smart EE, its very easy for you to personally understand the design of a device you have personally constructed well enough that you can trust it. On the other hand, consider a black box Johnson noise based device that you are handed. You check the random numbers coming out; they seem roughly right. You know, of course, that the box could simply be a very clever Blum-Blum-Shub based PRNG with the seed being stored at the enemy's secret lab, and you wouldn't have any solid handle on how to determine that without taking the device apart. On the other hand, I can take a radiation detector and test it damn easily with easy to aquire calibrated sources.
A radioactive source might be okay at the board level (though probably costlier than its electronic counterpart), but it'd be a pain to integrate, and it might disturb the rest of the chip.
Certainly you can't put such a device into a portable phone -- a Zener diode beats a geiger counter in such cases. On the other hand, a portable phone has to deal with a threat model in which there are very simple ways -- like plain eavesdropping -- to hear the conversation. If, though, you have a large electronic bank's central key management machine in mind, the extra trouble of using an external radiation detector would probably be worthwhile, assuming you had plugged other holes, given the ease with which the system may be tested and the amount of cash at stake. Perry