[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: True Randoms



William Kinney writes:

>A little nuclear physics anyone?
>
>Seems like one real bitch with roll-your-own cryptography is the 
>scarcity of good random numbers to work with. I've read about various
>schemes using I/O buffers, or keystroke timing like PGP does (even
>there, true randoms are referred to as "precious").
>
>So I thought a bit about how one could construct a true random generating
>box. Went out to Sears and bought a $7 smoke detector, a "Family Gard"

>
>Does anyone see a real need for something like this?
>Any hardware jocks out there who could lend some expertise?

What follows is my standard "alpha particles as sources of random numbers"
posting, which I have forwarded to the list a couple of times. (I'm not
being at all critical of William Kinney for raising the issue again.)

Quick summary: thermal noise in a back-biased diode is easier to get, has
more bandwidth, doesn't have safety concerns, and is readily buildable.


From: tcmay (Timothy C. May)
Message-Id: <[email protected]>
Subject: Alpha Particles and One Time Pads
To: [email protected]
Date: Sun, 25 Oct 92 22:30:54 PDT
Cc: tcmay (Timothy C. May)
X-Mailer: ELM [version 2.3 PL11]

Fellow Cypherpunks,

Here's a posting I just sent to sci.crypt, dealing with using alpha
particle sources as noise sources for generating one-time pads.
Ordinarily I wouldn't bother you folks with this, especially since
you're all reading sci.crypt (aren't you? Only the FidoNetters have a
good excuse not to.).

But this thread ties together two aspects of my life, cryptography and
alpha particle errors in chips. 

--Tim

Newsgroups: sci.crypt
Path: netcom.com!tcmay
From: [email protected] (Timothy C. May)
Subject: Re: Hardware random number generators compatible with PCs?
Message-ID: <[email protected]>
Organization: Netcom - Online Communication Services  (408 241-9760 guest) 
X-Newsreader: Tin 1.1 PL5
References: <[email protected]>
Date: Mon, 26 Oct 1992 05:16:12 GMT

Bohdan Tashchuk ([email protected]) wrote:

: The recent post on building a random number generator using a zener diode got
: me to thinking once again about commercial alternatives.
: 
: I haven't seen any commercial alternatives discussed here recently. And since
: the market is so specialized, they may well exist but I'm simply not aware of
: them.
: 
: The ideal product would have the following features:
: 
:       * cost less than $100
:       * use a radioactive Alpha ray emitter as the source

It's a small world! In my earlier incarnation as a physicist for
Intel, I discovered the alpha particle "soft error" effect in memory
chips. By 1976 chips, especially dynamic RAMs, were storing less than
half a million electrons as the difference between a "1" and a "0". A
several MeV alpha could generate more than a million electron-hole
pairs, thus flipping some bits.  

(Obviously the effect of alphas on particle detectors was
known, and smoke detectors were in wide use, but nobody prior to 1977
knew that memory bits could be flipped by alphas, coming from uranium
and thorium in the package materials. It's a long story, so I won't
say any more about it here.)

:       * connect to an IBM PC serial or parallel port
:       * be "dongle" sized, ie be able to plug directly onto the port, and
:               not have a cable from an external box to the port
:       * be powered directly from the port
:       * generate at least 1000 "highly random" bits per second

This should be feasible by placing a small (sub-microcurie) amount of
Americium-241 on a small DRAM chip that is known to be alpha-sensitive
(and not all of them are, due to processing tricks). Errors would
occur at random intervals, depending on which bits got hit. Getting
1000 errors a second would be tough, though, as such high intensities
would also tend to eventually destroy the chip (through longterm
damage to the silicon, threshold voltage shifts, etc.). If you really
want to pursue this seriously, I can help with the calculations, etc.

: Details:
: 
: Certainly in high volume these things can be made cheaply. Smoke detectors
: often sell for under $10, and have a radioactive source, an IC, a case, etc.

Yes, but smoke detectors use ionization in a chamber (the smoke from a
fire makes ionization easier). That is, no real ICs. But ICs, and even
RAM chips, are cheap, so your $10 figure is almost certainly in the ballpark.

A bigger concern is safety, or the _perceived_ safety. Smoke detectors
have, I understand, moved away from alpha particle-based detectors to
photoelectric detectors (smoke obscures beam of light). Don't
underestimate the public's fear of radioactivity, even at low levels.

: Using a well-designed circuit based on Alpha decay should mean that the
: randomness is pretty darn good.

But not necessarily any better than noise from a Zener. With the
higher bit rate from diode noise, more statistical tricks can be done.
The relatively low bit rate from alpha decay gives less flexibility.
On the other hand, alpha hits are undeniably quite random, with
essentially no way to skew the odds  (unlike with diode noise).

: Everyone these days has either a serial or parallel port available, either
: directly or thru a switch box.
: 
: The tiny "dongle" size is a convenience. If it is small and powered directly
: from the port, there are no cables to get in the way. There is enough power
: available from the signal lines on these ports to power simple devices. E.g.
: most mice don't require an external power supply.
: 
: For most applications 1000 bits per second should be adequate. For example,
: it would be quite adequate for session keys. For generating pseudo
: one-time-pads, an overnight run should generate plenty of values. Continuously
: generating values for a month would produce about 300 MB, which should be
: enough to exchange new CD-ROM key disks once a month.

One time pads are complicated to use. Only very high security
applications that can also afford them use them. For example, some
diplomatic traffic. I can't conceive of a case where 300 MB a month
could be used. 

And _theft_ (or copying) of the CD-ROM one time pads has got to be a
much bigger issue that whether alpha particle noise sources are better
than diode noise sources! By about 10 orders of magnitude I would say.

Black bag jobs on the sites holding the keys will be the likeliest
attack, not trying to analyze how random the noise is (even a fairly
crummy noise source will not yield enough information to a
cryptanalyst trying to break a one-time pad).

Having said all this, I'm glad you gave some thought to alphas. For a
time in the late 1970s this was the chip industry's number one
headache...it was definitely the most exciting time of my life.

--Tim
-- 
..........................................................................
Timothy C. May         | Crypto Anarchy: encryption, digital money,  
[email protected]       | anonymous networks, digital pseudonyms, zero
408-688-5409           | knowledge, reputations, information markets, 
W.A.S.T.E.: Aptos, CA  | black markets, collapse of governments.
Higher Power: 2^756839 | PGP 2.0 and MailSafe keys by arrangement.