The Development Of A Hardware Random Number Generator

rng

[Ian] had a need for a lot of random numbers. There are dozens of commercial offerings when it comes to RNGs, but there are also hundreds of different ways for an electronics hobbyist to shoot random bits at a serial port. One of these methods is an RNG based on the avalanche breakdown noise in a PN junction. As with any circuit in hobbyist electronics, there are dozens of prototypes floating out there on the web, but not too many finished projects. [Ian] decided he would build one of these RNGs as a prototype and bring it to something resembling a finished project.

An avalanche noise RNG takes advantage of the fact that a strongly reverse-biased PN junction, like one found in a transistor, will create a condition where one electron knocks another electron out of place, leading to a sustained chain reaction. It’s quantum, it’s chaotic, it makes for a great source for a random number generator, and there are already dozens of prototype circuits around the Internet.

[Ian] took one of these circuit designs by [Will Ware] and started the iterations that would lead to a finished design. Round one was a simple PCB with the basic circuit and a power supply. Just a few transistors, resistors, and a DC/DC boost converter. Confirming the circuit was generating noise, the next iteration brought in an ADC and an ARM micro with a USB interface. Iterating over this again with an improved ADC – 20 megasamples per second – the design finally reached a point where a final PCB could be designed.

In the end, [Ian] turned a simple circuit that could have been built on a breadboard into a USB device that throws 9kB/s of random data into a computer. The data are actually good, too: the project passed most of the Dieharder test suite, making it very useful for whatever crypto or gaming application [Ian] has in mind.

21 thoughts on “The Development Of A Hardware Random Number Generator

    1. I’m not so sure it does. He’s building a device based on well-known physical principles; this is more or less akin to implementing a public key cipher or other crypto primitive with strong mathematical proof of correctness.

      1. It definitely does. I point out a few weaknesses in the article. And a few of the links have much more considered analyses. I’ve said that I don’t think anyone should use this (or any similar device), nor does anyone really need to. It’s an exercise. The editor has made it seem like I really intended this to be used.

        1. The same principle would apply if I were implementing even a well-known cryptographic algorithm, by the way. There are so many seemingly-ancillary implementation details that can be screwed up (and have, even by the people who are supposed to be doing these things!) in subtle ways that drastically compromise security. Even if the mathematics are correct.

      2. Component aging, bias drift, thermal drift, AC leakage, no EM shielding. There are loads of ways that TRNG’s from a quantum/non-quantum source are exactly the same as Schneier’s Law. The core might be solid, but there are subtleties that can be missed.

  1. i have used the 2 transistor method similarly in the past … but i added a Dflipflop to the end thats reset with a clock pulse thats adjusted for the most entropy

  2. What about take some LSBs from the ADC, append them to the previous random number “block” (or more LSBs on the first start), and then use a cryptographic hash to derive the next random number block?

    1. What you’re describing is a hash-based cryptographically secure PRNG. They’re useful primitives in crypto, but this device generates truly random numbers, without relying on the security of any crypto primitive.

      1. It is a bit like saying that custard is milk. After you have de-biased through a crypto hashing algorithm it is not quite the same.

  3. Ugh!
    I do not agree with the sentiment that this would be a good hardware RNG to use based on it passing the dieharder suite. Those are rather basic tests you can pass with PRNGs and randomness sources with rather low entropy.

    This might be a good hardware RNG, but not for the reasons given here.

    1. You’re right (except about it being a good hardware RNG :), “the data are […] good” is the editor’s assertion, not mine. In the article the only claim I make about the security of this device is that nobody should use it. This device (and the other several dozen like it on the internet) suffers from a few critical weaknesses.

      1. I’ve now actually read the article and I think you did assess the fitness for cryptographic applications correctly ;)

        But what’s up with HaD editors then? It seems the quality of their work has gone down since there’s so many and they get paid.
        Don’t forget the actual core of the site over product development and PR-stunts.

  4. Like many similar projects, this design is at an awkward point, where it’s not yet good enough to thwart attack by a skilled and determined adversary. On the other hand, it’s complete overkill for a casual hacker.

        1. Did you read the rest of the article? It doesn’t propose just using a PRNG; it points out that with enough initial randomness, trying to keep track of ‘available entropy’ is pretty pointless, and blocking is – in almost every case – a stupid thing to do.

    1. The numbers are random, but having to transfer them across the Internet to use them is a problem for anything security related. But still great for things like Monte Carlo Simulation.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s