Sources of randomness

Peter Monta pmonta at qualcomm.com
Sat Nov 4 00:29:32 PST 1995 

Perry Metzger writes:

> > [ radioactive vs. other ]
>
> I didn't contend that its inferior. I contended that its difficult to
> distinguish from sources of electronic interference and is easy to get
> wrong.

Point taken; it sounds like I misread your post a bit.  Certainly
it's better to have a robust implementation than a delicate one,
but let me argue how hard it might be to get electronic sources
wrong.

> ...
> Someone can gimmick a zener diode or get it "wrong" a lot more easily
> than they can get a radation event wrong.

But how wrong is wrong?  Unless the design is catastrophically bad,
a zener source is going to give you zener noise plus some slight
admixture of interference.  Say the designer is extremely careless
and there's deterministic interference 20 dB down.  I don't see
how even that matters cryptographically---the resulting loss in
entropy will be millibits per sample.

Perhaps there ought to be a couple of standard random-bit-source
implementations, say at the CMOS-standard-cell and board-subsystem
levels, that are widely vetted and trusted (and used!).  But it's
mostly a solved problem, seems to me.

A radioactive source might be okay at the board level (though probably
costlier than its electronic counterpart), but it'd be a pain to
integrate, and it might disturb the rest of the chip.  (I'd like to
have a get_random_bit instruction as part of a microprocessor, for
example.)  Also if you want a high rate of random bits, you need many
decay events, whereas for electronic sources the corresponding
bandwidth is free---Johnson and shot noise are flat to 1 THz or so.

Interestingly enough, zener diodes and particle detectors are a lot
alike.  Zeners, if they're avalanching, already have some internal
gain; each electron crossing the junction gets so hot it knocks
off other electrons, and there's a chain reaction.  Particle detectors
take the ion trail in a suitable environment and make a nice
big pulse out of it with a similar chain-reacton effect (though
the fancier kind will give you the actual amount of charge).

Cheers,
Peter Monta   pmonta at qualcomm.com
Qualcomm, Inc./Globalstar

More information about the cypherpunks-legacy mailing list