Dave Emery (die@die.com)
Mon, 6 Jul 1998 22:24:57 -0400
On Mon, Jul 06, 1998 at 09:41:58PM -0400, Perry E. Metzger wrote:
>
> The problem is not in finding things that are random. The problem is
> in very accurately characterizing how random those things are.
>
> For instance, say you have some "noise" in a circuit. How much of that
> is truly random noise? How much is recieved RF from some exterior
> source? How much is coupling to some other part of the circuit?
>
> To an EE, the distinction is unimportant. Noise is noise. Who cares
> what kind of noise it is? To us, the distinction is life or
> death. Some noise is really random. Some is disguised signal -- not
> the signal an EE wants, perhaps, but none the less a signal. We want
> just the random part.
>
Indeed I oversimplify by implying that any old noise will do.
One clearly needs to use noise from a noise source carefully selected to
have known and theoretically random statistics, and be very careful that
the noise is not contaminated by low level signal. But there are some
quite powerful techniques such as fourier spectral analysis and various
kinds of cross corellation which can be used to demonstrate that the
noise is clean of contamination by known signals in nearby circuits, and
many techniques exist for measuring and modeling the degree of coupling
between a noise generator circuit and the outside world. Indeed yes,
one has to very carefully design the random noise generator to prevent
non random noise from getting into the random noise signal path. But
such shielding and decoupling techniques are not voodoo, but rather a
normal part of designing circuits meant to deal with low level signals
of any kind, and the problem is made somewhat easier by virtue of the
fact that unlike sensitive radio receivers, there needs to be no path
into the most sensitive part of the circuit for signals from an antenna.
> > Any electrical resistive device at a temperature above zero
> > kelvin has Johnson noise across its terminals, and this noise is just as
> > theoretically statisticly random as the "noise" of radioactive decay.
>
> Yup -- but try to figure out how many bits per second it means, and
> you start getting trouble.
The number of good random bits/second is a function of the
bandwidth of the observing circuit. The wider band it is the more bits
per second. As the sample rate approaches the bandwidth of the noise
source adjacent samples become correllated. But bandwidths in the ghz
area are readily obtainable with current technology, which certainly
permits thousands or millions of bits per second of randomness to be
extracted with essentially unmeasurable correllations between bits.
And post processing can reduce such correlations a lot further.
>
> > And much easier to conveniantly and safely harvest than using radioactive
> > sources and detectors. The roaring white noise that comes out of
> > a FM radio tuned to an empty channel is an example of Johnson noise from
> > the rf front end of the receiver amplified to high levels and should
> > be a good source of random bits provided that there is no signal sneaking
> > in.
>
> "provided".
>
> See what I mean?
>
Indeed using white noise from an FM receiver with the antenna
disconnected might be a dangerous thing to do if the potential adversary
can generate powerful RF fields at will when he wishes to contaminate
random number generation. But to some degree any hardware solution has
the same vulnerability to electromagnetic spoofing by energetic signals
of some some kind or another, even the geiger counter can be fooled
by strong enough rf fields to screw up its amplifiers and certainly
can be contaminated by anyone with controlled sources of energetic
particles which could either be used to saturate the GM tube resulting
in long intervals of dead time or to generate known bursts of counts.
> > At the very most, simple minded approaches to harvesting Johnson
> > noise may introduce very slight biases in the numbers of zero or one
> > bits or corellations between adjacent bits, but there are a number of
> > post processing techniques that eliminate these errors, and more
> > sophisticated sampling techniques can eliminate most of them to
> > begin with.
>
> I'm not going to argue that you are wrong. I'm just going to argue
> that a lot of this is dangerous stuff, and you have to be careful to
> well characterize your sources. Often, it is safer just to assume the
> source is far worse than it is and "distil" down so far that you are
> safe (provided that our distilation techniques are okay -- we don't
> have final word on that from the theoretical cryptographers yet.)
>
I couldn't more agree. But sometimes the best is the enemy of
good enough, and if people assume that accessing any useful kind of hardware
randomness involves radioactive sources and all the legal and regulatory
hastles that involves, real implemntors may fall back on the low bits
of the process number hashed with the real time clock and leave the
system wide open.
-- Dave Emery N1PRE, die@die.com DIE Consulting, Weston, Mass. PGP fingerprint = 2047/4D7B08D1 DE 6E E1 CC 1F 1D 96 E2 5D 27 BD B0 24 88 C3 18
The following archive was created by hippie-mail 7.98617-22 on Fri Aug 21 1998 - 17:20:08 ADT