[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Sources of randomness
Perry Metzger writes:
> > [ radioactive vs. other ]
>
> I didn't contend that its inferior. I contended that its difficult to
> distinguish from sources of electronic interference and is easy to get
> wrong.
Point taken; it sounds like I misread your post a bit. Certainly
it's better to have a robust implementation than a delicate one,
but let me argue how hard it might be to get electronic sources
wrong.
> ...
> Someone can gimmick a zener diode or get it "wrong" a lot more easily
> than they can get a radation event wrong.
But how wrong is wrong? Unless the design is catastrophically bad,
a zener source is going to give you zener noise plus some slight
admixture of interference. Say the designer is extremely careless
and there's deterministic interference 20 dB down. I don't see
how even that matters cryptographically---the resulting loss in
entropy will be millibits per sample.
Perhaps there ought to be a couple of standard random-bit-source
implementations, say at the CMOS-standard-cell and board-subsystem
levels, that are widely vetted and trusted (and used!). But it's
mostly a solved problem, seems to me.
A radioactive source might be okay at the board level (though probably
costlier than its electronic counterpart), but it'd be a pain to
integrate, and it might disturb the rest of the chip. (I'd like to
have a get_random_bit instruction as part of a microprocessor, for
example.) Also if you want a high rate of random bits, you need many
decay events, whereas for electronic sources the corresponding
bandwidth is free---Johnson and shot noise are flat to 1 THz or so.
Interestingly enough, zener diodes and particle detectors are a lot
alike. Zeners, if they're avalanching, already have some internal
gain; each electron crossing the junction gets so hot it knocks
off other electrons, and there's a chain reaction. Particle detectors
take the ion trail in a suitable environment and make a nice
big pulse out of it with a similar chain-reacton effect (though
the fancier kind will give you the actual amount of charge).
Cheers,
Peter Monta [email protected]
Qualcomm, Inc./Globalstar