Re: Sources of randomness
Perry Metzger writes:
[ radioactive vs. other ]
I didn't contend that its inferior. I contended that its difficult to distinguish from sources of electronic interference and is easy to get wrong.
Point taken; it sounds like I misread your post a bit. Certainly it's better to have a robust implementation than a delicate one, but let me argue how hard it might be to get electronic sources wrong.
... Someone can gimmick a zener diode or get it "wrong" a lot more easily than they can get a radation event wrong.
But how wrong is wrong? Unless the design is catastrophically bad, a zener source is going to give you zener noise plus some slight admixture of interference. Say the designer is extremely careless and there's deterministic interference 20 dB down. I don't see how even that matters cryptographically---the resulting loss in entropy will be millibits per sample. Perhaps there ought to be a couple of standard random-bit-source implementations, say at the CMOS-standard-cell and board-subsystem levels, that are widely vetted and trusted (and used!). But it's mostly a solved problem, seems to me. A radioactive source might be okay at the board level (though probably costlier than its electronic counterpart), but it'd be a pain to integrate, and it might disturb the rest of the chip. (I'd like to have a get_random_bit instruction as part of a microprocessor, for example.) Also if you want a high rate of random bits, you need many decay events, whereas for electronic sources the corresponding bandwidth is free---Johnson and shot noise are flat to 1 THz or so. Interestingly enough, zener diodes and particle detectors are a lot alike. Zeners, if they're avalanching, already have some internal gain; each electron crossing the junction gets so hot it knocks off other electrons, and there's a chain reaction. Particle detectors take the ion trail in a suitable environment and make a nice big pulse out of it with a similar chain-reacton effect (though the fancier kind will give you the actual amount of charge). Cheers, Peter Monta pmonta@qualcomm.com Qualcomm, Inc./Globalstar
Peter Monta writes:
But how wrong is wrong? Unless the design is catastrophically bad, a zener source is going to give you zener noise plus some slight admixture of interference. Say the designer is extremely careless and there's deterministic interference 20 dB down. I don't see how even that matters cryptographically---the resulting loss in entropy will be millibits per sample.
[lots elided] As a smart EE, its very easy for you to personally understand the design of a device you have personally constructed well enough that you can trust it. On the other hand, consider a black box Johnson noise based device that you are handed. You check the random numbers coming out; they seem roughly right. You know, of course, that the box could simply be a very clever Blum-Blum-Shub based PRNG with the seed being stored at the enemy's secret lab, and you wouldn't have any solid handle on how to determine that without taking the device apart. On the other hand, I can take a radiation detector and test it damn easily with easy to aquire calibrated sources.
A radioactive source might be okay at the board level (though probably costlier than its electronic counterpart), but it'd be a pain to integrate, and it might disturb the rest of the chip.
Certainly you can't put such a device into a portable phone -- a Zener diode beats a geiger counter in such cases. On the other hand, a portable phone has to deal with a threat model in which there are very simple ways -- like plain eavesdropping -- to hear the conversation. If, though, you have a large electronic bank's central key management machine in mind, the extra trouble of using an external radiation detector would probably be worthwhile, assuming you had plugged other holes, given the ease with which the system may be tested and the amount of cash at stake. Perry
participants (2)
-
Perry E. Metzger -
Peter Monta