Re: Sources of randomness

["Perry E. Metzger" <perry@piermont.com>]

Peter Monta writes:
> But how wrong is wrong?  Unless the design is catastrophically bad,
> a zener source is going to give you zener noise plus some slight
> admixture of interference.  Say the designer is extremely careless
> and there's deterministic interference 20 dB down.  I don't see
> how even that matters cryptographically---the resulting loss in
> entropy will be millibits per sample.

[lots elided]

As a smart EE, its very easy for you to personally understand the
design of a device you have personally constructed well enough that
you can trust it. On the other hand, consider a black box Johnson
noise based device that you are handed. You check the random numbers
coming out; they seem roughly right. You know, of course, that the box
could simply be a very clever Blum-Blum-Shub based PRNG with the seed
being stored at the enemy's secret lab, and you wouldn't have any
solid handle on how to determine that without taking the device apart.

On the other hand, I can take a radiation detector and test it damn
easily with easy to aquire calibrated sources.

> A radioactive source might be okay at the board level (though probably
> costlier than its electronic counterpart), but it'd be a pain to
> integrate, and it might disturb the rest of the chip.

Certainly you can't put such a device into a portable phone -- a Zener
diode beats a geiger counter in such cases. On the other hand, a
portable phone has to deal with a threat model in which there are very
simple ways -- like plain eavesdropping -- to hear the
conversation. If, though, you have a large electronic bank's central
key management machine in mind, the extra trouble of using an external
radiation detector would probably be worthwhile, assuming you had
plugged other holes, given the ease with which the system may be
tested and the amount of cash at stake.

Perry