Fellow Cypherpunks, Here's a posting I just sent to sci.crypt, dealing with using alpha particle sources as noise sources for generating one-time pads. Ordinarily I wouldn't bother you folks with this, especially since you're all reading sci.crypt (aren't you? Only the FidoNetters have a good excuse not to.). But this thread ties together two aspects of my life, cryptography and alpha particle errors in chips. --Tim Newsgroups: sci.crypt Path: netcom.com!tcmay From: tcmay@netcom.com (Timothy C. May) Subject: Re: Hardware random number generators compatible with PCs? Message-ID: <1992Oct26.051612.29869@netcom.com> Organization: Netcom - Online Communication Services (408 241-9760 guest) X-Newsreader: Tin 1.1 PL5 References: <1992Oct25.224554.1853@fasttech.com> Date: Mon, 26 Oct 1992 05:16:12 GMT Bohdan Tashchuk (zeke@fasttech.com) wrote: : The recent post on building a random number generator using a zener diode got : me to thinking once again about commercial alternatives. : : I haven't seen any commercial alternatives discussed here recently. And since : the market is so specialized, they may well exist but I'm simply not aware of : them. : : The ideal product would have the following features: : : * cost less than $100 : * use a radioactive Alpha ray emitter as the source It's a small world! In my earlier incarnation as a physicist for Intel, I discovered the alpha particle "soft error" effect in memory chips. By 1976 chips, especially dynamic RAMs, were storing less than half a million electrons as the difference between a "1" and a "0". A several MeV alpha could generate more than a million electron-hole pairs, thus flipping some bits. (Obviously the effect of alphas on particle detectors was known, and smoke detectors were in wide use, but nobody prior to 1977 knew that memory bits could be flipped by alphas, coming from uranium and thorium in the package materials. It's a long story, so I won't say any more about it here.) : * connect to an IBM PC serial or parallel port : * be "dongle" sized, ie be able to plug directly onto the port, and : not have a cable from an external box to the port : * be powered directly from the port : * generate at least 1000 "highly random" bits per second This should be feasible by placing a small (sub-microcurie) amount of Americium-241 on a small DRAM chip that is known to be alpha-sensitive (and not all of them are, due to processing tricks). Errors would occur at random intervals, depending on which bits got hit. Getting 1000 errors a second would be tough, though, as such high intensities would also tend to eventually destroy the chip (through longterm damage to the silicon, threshold voltage shifts, etc.). If you really want to pursue this seriously, I can help with the calculations, etc. : Details: : : Certainly in high volume these things can be made cheaply. Smoke detectors : often sell for under $10, and have a radioactive source, an IC, a case, etc. Yes, but smoke detectors use ionization in a chamber (the smoke from a fire makes ionization easier). That is, no real ICs. But ICs, and even RAM chips, are cheap, so your $10 figure is almost certainly in the ballpark. A bigger concern is safety, or the _perceived_ safety. Smoke detectors have, I understand, moved away from alpha particle-based detectors to photoelectric detectors (smoke obscures beam of light). Don't underestimate the public's fear of radioactivity, even at low levels. : Using a well-designed circuit based on Alpha decay should mean that the : randomness is pretty darn good. But not necessarily any better than noise from a Zener. With the higher bit rate from diode noise, more statistical tricks can be done. The relatively low bit rate from alpha decay gives less flexibility. On the other hand, alpha hits are undeniably quite random, with essentially no way to skew the odds (unlike with diode noise). : Everyone these days has either a serial or parallel port available, either : directly or thru a switch box. : : The tiny "dongle" size is a convenience. If it is small and powered directly : from the port, there are no cables to get in the way. There is enough power : available from the signal lines on these ports to power simple devices. E.g. : most mice don't require an external power supply. : : For most applications 1000 bits per second should be adequate. For example, : it would be quite adequate for session keys. For generating pseudo : one-time-pads, an overnight run should generate plenty of values. Continuously : generating values for a month would produce about 300 MB, which should be : enough to exchange new CD-ROM key disks once a month. One time pads are complicated to use. Only very high security applications that can also afford them use them. For example, some diplomatic traffic. I can't conceive of a case where 300 MB a month could be used. And _theft_ (or copying) of the CD-ROM one time pads has got to be a much bigger issue that whether alpha particle noise sources are better than diode noise sources! By about 10 orders of magnitude I would say. Black bag jobs on the sites holding the keys will be the likeliest attack, not trying to analyze how random the noise is (even a fairly crummy noise source will not yield enough information to a cryptanalyst trying to break a one-time pad). Having said all this, I'm glad you gave some thought to alphas. For a time in the late 1970s this was the chip industry's number one headache...it was definitely the most exciting time of my life. --Tim -- .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@netcom.com | anonymous networks, digital pseudonyms, zero 408-688-5409 | knowledge, reputations, information markets, W.A.S.T.E.: Aptos, CA | black markets, collapse of governments. Higher Power: 2^756839 | PGP 2.0 and MailSafe keys by arrangement.