Hardware Solutions

[watso...@gmail.com]

The solution to a lack of entropy is obvious: add more. Various methods have been proposed for this process: below I am listing the ones I have found documentation for and current applications thereof.

-Zener Noise: RF test equipment, USB random number generators
-Sylvania 6D4: RF test equipment, possibly the RAND tables.
-thermal noise in transistors: ERNIE, UK lottery bonds according to Wikipedia
-neon tubes: old ERNIE
-CCD noise: LavaRND
-Stern-Gerlach experiment: quantum cryptography
-oscillator phase noise: VIA chips
-metastable circuits: Intel Ivy Bridge RNG
-chaotic circuits: no uses yet

However hardware number generators alone are not enough. We need to characterise their operation and describe how to integrate them with algorithmic PRNGs. Furthermore, the cost and ubiquity of these solutions are obstacles to their use. A three-terminal device that connected to power, ground, and produced random bits that could be sampled any time might still be too expensive to use, and certainly doesn't exist yet.

Different technologies will likely use different solutions. Metastable circuits, and oscillator phase noise both work on digital chips. The other technologies are very analog, and in some cases have unacceptable heat production and mechanical durability. Yet, they are much more conservatively designed and can some be integrated into mixed-signal devices like microcontrollers relatively cheaply.

Sincerely,
Watson Ladd

[Jon Callas]

Hear, hear.

The only thing I'd add is that I think you're making it harder than it is. We need to have an entropy source, and it doesn't particularly have to be good. Entropy distilling is easy, just pick your favorite hash function. If a system has some thing that's got some real randomness in it (whatever the hell that is), distilling it down and then feeding it into an output stage (some suitable PRF) works fine.

There's too much thought trying to get "pure" entropy. Entropy, like gold, is more useful when alloyed with some baser material.

Jon

[Watson Ladd]

I don't think this is right for the simple reason then that has been tried already. Embedded systems do not have sufficient sources of entropy. Arguing that maybe some hardware source might have some, and we can sample it early enough in the boot sequence, is not going to work: changes to systems can wipe out that entropy source.

If every chip vendor agreed to put in a hardware entropy source, or there was a cheap external entropy generator, this wouldn't be a problem. Intel is doing this on Ivy Bridge.

Watson

[Watson Ladd]

And I was wrong: many embedded devices have a switching power supply, with its own oscillator independent of the one that drives the processor. Sampling the clock signal at times given by the switching supply's oscillator will produce a sequence of random bits, although a sequence in need of quite a bit of work. But the best part is hardware failure in the switcher results in the device powering down.This can be as simple as putting a single sample pin on the outside of the processor, and a shift register inside that can be read by the OS somehow, that samples the clock when the sample pin goes low.

Watson