555 Random Number Generator?

[Druzyek]

Hi,
I would like to generate some true random numbers without using reverse biased transistors and 18v like most circuits show. I decided to measure the length of 555 pulses with a microcontroller. The microcontroller counts cycles with a hardware timer and the 555 sends pulses at 480Hz to the microcontroller triggering an interrupt. The microcontroller records the value of the hardware timer and resets it. The only code in main after initialization is while(1);. The microcontroller is running at 16MHz so it should count 33,333 cycles between each pulse but it can vary by over 100 cycles every time. Can part of this variation be considered entropy?

[T3sl4co1l]

100 out of a ~33k count is 0.3%, not too bad for an RC oscillator I'd say.  Yes, it can be used, but beware, it will be correlated to power supply noise, if any; the oscillator should be well filtered and well shielded (it will be susceptible to RFI as well!), and its output buffered, to minimize interactions with the outside world.

There might be a way to use the uC's internal 8MHz (or whatever) RC oscillator (assuming it has one), subject to the same limitations of course.  Downside being, core voltage and temperature, code density, I/O pin states and so on will probably have an inseparable effect on the reading.  Churning a few thousand passes of an LFSR algorithm in any free CPU cycles might help to add scrambling, to help to defeat possible attacks.

But really, you might just consider a bandgap voltage reference or something.  The non-low noise ones aren't particularly quiet, and a TLV431 will run on 1.2V.  A few milivolts of noise will be good for a bit or two of entropy on a standard ADC (say, 10 bits with 2.5-5V ref), more if the DC bias is subtracted out (using two refs, perhaps?) and the noise amplified.

Tim

[TinkeringSteve]

What kind of microcontroller are you using?

Some newer ones from ST's stm32 line have built-in true random generators. Perhaps those kind of thingies are also available as stand-alone parts?

On page 4, section 1.21 they describe how their RNG implementation works
http://www.st.com/st-web-ui/static/active/en/resource/technical/document/application_note/DM00073853.pdf

[Kjelt]

First of all what is the application?

The usual statistical standards, states that a sequence of numbers, that cannot be discriminated from a sequence of independent uniform deviates from the  unit interval, is considered random. PRNGs that are acceptable by these standards are suitable for simulations, games, and similar applications.

The cryptography standards have to do with predictability. It is less important whether the sequence is uniformly distributed, but it is essential that knowing part of the sequence does not contribute any knowledge about other parts. This requirement is called unpredictability.

This means by definition that a true secure RNG can never be a software only solution since any calculation/algorithm is intrinsically repeatable and thus predictable by nature. So LFSR's are purely deterministic and should only be used if the seed is a cryptographically secure random number.

So you need entropy. That is very very difficult if you have to prevent manipulation. All the given examples even reverse biased transistors can be manipulated. To test the generated random numbers you can use testsuites like Diehard tests. I have done that on a reverse biased transistor setup and it failed miserably. It is better then anything else we tried (keyboard input, lsb adc etc. etc.) but still fails.

So I have very high doubt that your project will result in good enough entropy to pass the diehard test but that might not be your goal 

[Druzyek]

Thanks for all your replies.

Yes, it can be used, but beware, it will be correlated to power supply noise, if any; the oscillator should be well filtered and well shielded (it will be susceptible to RFI as well!), and its output buffered, to minimize interactions with the outside world.

Most circuits show inverters like the 7404. Would the Schmidt trigger on the microcontroller input be enough to buffer the output?

I would use some light dependent resistors and/or thermistors to get the 555 away from a particular frequency. But then you could omit the 555 and just count with the microcontroller some light and or temp sensitive time to charge a cap to a certain value or measure a voltage. Why reset the counter? Just let it keep running.

I thought about this too. I could seal an LED and photoresistor together so that no other light gets in. Hopefully that would keep the charging time of whatever it is used for fairly close. I was resetting the timer so I would have a bunch of 16 bit values I could compare.

What kind of microcontroller are you using?

MSP430. ST makes some really neat ones but I would like to keep the MSP430 for this project.

First of all what is the application?

It is just for a hobby project. Two microcontrollers will send radio signals in plain text so I wanted to add some kind of encryption. The microcontrollers don't have much RAM and I was hoping to transfer fairly quickly so instead of calculating any sort of cypher I wanted to dump a few megabytes of random data to SD cards to use as a one time pad.

So you need entropy. That is very very difficult if you have to prevent manipulation.

Do you mean intentional manipulation or picking up patterns from background effects?

Another question I have is what to do with the data I get (assuming it really is entropy after reading Kjelt's quote.) To test I took 1,000,000 readings and dumped them over Hyperterminal. Bit 0 (LSB) is always 1, probably due to the number of cycles the instructions take in while(1); Bit 1 is 1 in 50% of the numbers and bits 2, 3, and 4 are 1 in 49.9% of them. That is about as far as my math skills got me. If I want to debias those bits, does it matter whether I compare bit 1 to bit 2 and bit 3 to bit 4 or should I compare the bits in one byte to the bits in the next?

[Kjelt]

It is just for a hobby project. Two microcontrollers will send radio signals in plain text so I wanted to add some kind of encryption. The microcontrollers don't have much RAM and I was hoping to transfer fairly quickly so instead of calculating any sort of cypher I wanted to dump a few megabytes of random data to SD cards to use as a one time pad.

I ask another question for a better understanding of the requirements
1) do you need to update the OTP data without human interaction?
if yes -> 1a) how do you plan to synchronize the OTP data between the two microcontrollers since you have no secure channel and any circuit will never generate the same patterns?
if no -> 1b) why not generate the random data with a PC and a proven RNG algorithm ?

Do you mean intentional manipulation or picking up patterns from background effects?

Intentional manipulation for instance with jamming with a radio with known sequence forcing the "random noise from the ether" into that know sequence.

Another question I have is what to do with the data I get.

To analyze random data you need to test for a lot of possible patterns in the datastream. Diehard takes Megabytes of data otherwise it cannot perform all the tests. Here is a list:

Code: [Select]

    :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
     ::            This is the BIRTHDAY SPACINGS TEST                 ::
     :: Choose m birthdays in a year of n days.  List the spacings    ::
     :: between the birthdays.  If j is the number of values that     ::
     :: occur more than once in that list, then j is asymptotically   ::
     :: Poisson distributed with mean m^3/(4n).  Experience shows n   ::
     :: must be quite large, say n>=2^18, for comparing the results   ::
     :: to the Poisson distribution with that mean.  This test uses   ::
     :: n=2^24 and m=2^9,  so that the underlying distribution for j  ::
     :: is taken to be Poisson with lambda=2^27/(2^26)=2.  A sample   ::
     :: of 500 j's is taken, and a chi-square goodness of fit test    ::
     :: provides a p value.  The first test uses bits 1-24 (counting  ::
     :: from the left) from integers in the specified file.           ::
     ::   Then the file is closed and reopened. Next, bits 2-25 are   ::
     :: used to provide birthdays, then 3-26 and so on to bits 9-32.  ::
     :: Each set of bits provides a p-value, and the nine p-values    ::
     :: provide a sample for a KSTEST.                                ::
     :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
     :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
     ::            THE OVERLAPPING 5-PERMUTATION TEST                 ::
     :: This is the OPERM5 test.  It looks at a sequence of one mill- ::
     :: ion 32-bit random integers.  Each set of five consecutive     ::
     :: integers can be in one of 120 states, for the 5! possible or- ::
     :: derings of five numbers.  Thus the 5th, 6th, 7th,...numbers   ::
     :: each provide a state. As many thousands of state transitions  ::
     :: are observed,  cumulative counts are made of the number of    ::
     :: occurences of each state.  Then the quadratic form in the     ::
     :: weak inverse of the 120x120 covariance matrix yields a test   ::
     :: equivalent to the likelihood ratio test that the 120 cell     ::
     :: counts came from the specified (asymptotically) normal dis-   ::
     :: tribution with the specified 120x120 covariance matrix (with  ::
     :: rank 99).  This version uses 1,000,000 integers, twice.       ::
     :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
     :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
     :: This is the BINARY RANK TEST for 31x31 matrices. The leftmost ::
     :: 31 bits of 31 random integers from the test sequence are used ::
     :: to form a 31x31 binary matrix over the field {0,1}. The rank  ::
     :: is determined. That rank can be from 0 to 31, but ranks< 28   ::
     :: are rare, and their counts are pooled with those for rank 28. ::
     :: Ranks are found for 40,000 such random matrices and a chisqua-::
     :: re test is performed on counts for ranks 31,30,29 and <=28.   ::
     :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
     :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
     :: This is the BINARY RANK TEST for 32x32 matrices. A random 32x ::
     :: 32 binary matrix is formed, each row a 32-bit random integer. ::
     :: The rank is determined. That rank can be from 0 to 32, ranks  ::
     :: less than 29 are rare, and their counts are pooled with those ::
     :: for rank 29.  Ranks are found for 40,000 such random matrices ::
     :: and a chisquare test is performed on counts for ranks  32,31, ::
     :: 30 and <=29.                                                  ::
     :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
     :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
     :: This is the BINARY RANK TEST for 6x8 matrices.  From each of  ::
     :: six random 32-bit integers from the generator under test, a   ::
     :: specified byte is chosen, and the resulting six bytes form a  ::
     :: 6x8 binary matrix whose rank is determined.  That rank can be ::
     :: from 0 to 6, but ranks 0,1,2,3 are rare; their counts are     ::
     :: pooled with those for rank 4. Ranks are found for 100,000     ::
     :: random matrices, and a chi-square test is performed on        ::
     :: counts for ranks 6,5 and <=4.                                 ::
     :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
     :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
     ::                   THE BITSTREAM TEST                          ::
     :: The file under test is viewed as a stream of bits. Call them  ::
     :: b1,b2,... .  Consider an alphabet with two "letters", 0 and 1 ::
     :: and think of the stream of bits as a succession of 20-letter  ::
     :: "words", overlapping.  Thus the first word is b1b2...b20, the ::
     :: second is b2b3...b21, and so on.  The bitstream test counts   ::
     :: the number of missing 20-letter (20-bit) words in a string of ::
     :: 2^21 overlapping 20-letter words.  There are 2^20 possible 20 ::
     :: letter words.  For a truly random string of 2^21+19 bits, the ::
     :: number of missing words j should be (very close to) normally  ::
     :: distributed with mean 141,909 and sigma 428.  Thus            ::
     ::  (j-141909)/428 should be a standard normal variate (z score) ::
     :: that leads to a uniform [0,1) p value.  The test is repeated  ::
     :: twenty times.                                                 ::
     :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
 

[Kjelt]

Code was too long so here  is the rest

Code: [Select]

    :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
     ::             The tests OPSO, OQSO and DNA                      ::
     ::         OPSO means Overlapping-Pairs-Sparse-Occupancy         ::
     :: The OPSO test considers 2-letter words from an alphabet of    ::
     :: 1024 letters.  Each letter is determined by a specified ten   ::
     :: bits from a 32-bit integer in the sequence to be tested. OPSO ::
     :: generates  2^21 (overlapping) 2-letter words  (from 2^21+1    ::
     :: "keystrokes")  and counts the number of missing words---that  ::
     :: is 2-letter words which do not appear in the entire sequence. ::
     :: That count should be very close to normally distributed with  ::
     :: mean 141,909, sigma 290. Thus (missingwrds-141909)/290 should ::
     :: be a standard normal variable. The OPSO test takes 32 bits at ::
     :: a time from the test file and uses a designated set of ten    ::
     :: consecutive bits. It then restarts the file for the next de-  ::
     :: signated 10 bits, and so on.                                  ::
     ::                                                               ::
     ::     OQSO means Overlapping-Quadruples-Sparse-Occupancy        ::
     ::   The test OQSO is similar, except that it considers 4-letter ::
     :: words from an alphabet of 32 letters, each letter determined  ::
     :: by a designated string of 5 consecutive bits from the test    ::
     :: file, elements of which are assumed 32-bit random integers.   ::
     :: The mean number of missing words in a sequence of 2^21 four-  ::
     :: letter words,  (2^21+3 "keystrokes"), is again 141909, with   ::
     :: sigma = 295.  The mean is based on theory; sigma comes from   ::
     :: extensive simulation.                                         ::
     ::                                                               ::
     ::    The DNA test considers an alphabet of 4 letters::  C,G,A,T,::
     :: determined by two designated bits in the sequence of random   ::
     :: integers being tested.  It considers 10-letter words, so that ::
     :: as in OPSO and OQSO, there are 2^20 possible words, and the   ::
     :: mean number of missing words from a string of 2^21  (over-    ::
     :: lapping)  10-letter  words (2^21+9 "keystrokes") is 141909.   ::
     :: The standard deviation sigma=339 was determined as for OQSO   ::
     :: by simulation.  (Sigma for OPSO, 290, is the true value (to   ::
     :: three places), not determined by simulation.                  ::
     :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
     :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
     ::     This is the COUNT-THE-1's TEST on a stream of bytes.      ::
     :: Consider the file under test as a stream of bytes (four per   ::
     :: 32 bit integer).  Each byte can contain from 0 to 8 1's,      ::
     :: with probabilities 1,8,28,56,70,56,28,8,1 over 256.  Now let  ::
     :: the stream of bytes provide a string of overlapping  5-letter ::
     :: words, each "letter" taking values A,B,C,D,E. The letters are ::
     :: determined by the number of 1's in a byte::  0,1,or 2 yield A,::
     :: 3 yields B, 4 yields C, 5 yields D and 6,7 or 8 yield E. Thus ::
     :: we have a monkey at a typewriter hitting five keys with vari- ::
     :: ous probabilities (37,56,70,56,37 over 256).  There are 5^5   ::
     :: possible 5-letter words, and from a string of 256,000 (over-  ::
     :: lapping) 5-letter words, counts are made on the frequencies   ::
     :: for each word.   The quadratic form in the weak inverse of    ::
     :: the covariance matrix of the cell counts provides a chisquare ::
     :: test::  Q5-Q4, the difference of the naive Pearson sums of    ::
     :: (OBS-EXP)^2/EXP on counts for 5- and 4-letter cell counts.    ::
     :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
     :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
     ::     This is the COUNT-THE-1's TEST for specific bytes.        ::
     :: Consider the file under test as a stream of 32-bit integers.  ::
     :: From each integer, a specific byte is chosen , say the left-  ::
     :: most::  bits 1 to 8. Each byte can contain from 0 to 8 1's,   ::
     :: with probabilitie 1,8,28,56,70,56,28,8,1 over 256.  Now let   ::
     :: the specified bytes from successive integers provide a string ::
     :: of (overlapping) 5-letter words, each "letter" taking values  ::
     :: A,B,C,D,E. The letters are determined  by the number of 1's,  ::
     :: in that byte::  0,1,or 2 ---> A, 3 ---> B, 4 ---> C, 5 ---> D,::
     :: and  6,7 or 8 ---> E.  Thus we have a monkey at a typewriter  ::
     :: hitting five keys with with various probabilities::  37,56,70,::
     :: 56,37 over 256. There are 5^5 possible 5-letter words, and    ::
     :: from a string of 256,000 (overlapping) 5-letter words, counts ::
     :: are made on the frequencies for each word. The quadratic form ::
     :: in the weak inverse of the covariance matrix of the cell      ::
     :: counts provides a chisquare test::  Q5-Q4, the difference of  ::
     :: the naive Pearson  sums of (OBS-EXP)^2/EXP on counts for 5-   ::
     :: and 4-letter cell counts.                                     ::
     :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
     :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
     ::               THIS IS A PARKING LOT TEST                      ::
     :: In a square of side 100, randomly "park" a car---a circle of  ::
     :: radius 1.   Then try to park a 2nd, a 3rd, and so on, each    ::
     :: time parking "by ear".  That is, if an attempt to park a car  ::
     :: causes a crash with one already parked, try again at a new    ::
     :: random location. (To avoid path problems, consider parking    ::
     :: helicopters rather than cars.)   Each attempt leads to either ::
     :: a crash or a success, the latter followed by an increment to  ::
     :: the list of cars already parked. If we plot n:  the number of ::
     :: attempts, versus k::  the number successfully parked, we get a::
     :: curve that should be similar to those provided by a perfect   ::
     :: random number generator.  Theory for the behavior of such a   ::
     :: random curve seems beyond reach, and as graphics displays are ::
     :: not available for this battery of tests, a simple characteriz ::
     :: ation of the random experiment is used: k, the number of cars ::
     :: successfully parked after n=12,000 attempts. Simulation shows ::
     :: that k should average 3523 with sigma 21.9 and is very close  ::
     :: to normally distributed.  Thus (k-3523)/21.9 should be a st-  ::
     :: andard normal variable, which, converted to a uniform varia-  ::
     :: ble, provides input to a KSTEST based on a sample of 10.      ::
     :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
     :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
     ::               THE MINIMUM DISTANCE TEST                       ::
     :: It does this 100 times::   choose n=8000 random points in a   ::
     :: square of side 10000.  Find d, the minimum distance between   ::
     :: the (n^2-n)/2 pairs of points.  If the points are truly inde- ::
     :: pendent uniform, then d^2, the square of the minimum distance ::
     :: should be (very close to) exponentially distributed with mean ::
     :: .995 .  Thus 1-exp(-d^2/.995) should be uniform on [0,1) and  ::
     :: a KSTEST on the resulting 100 values serves as a test of uni- ::
     :: formity for random points in the square. Test numbers=0 mod 5 ::
     :: are printed but the KSTEST is based on the full set of 100    ::
     :: random choices of 8000 points in the 10000x10000 square.      ::
     :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
     :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
     ::              THE 3DSPHERES TEST                               ::
     :: Choose  4000 random points in a cube of edge 1000.  At each   ::
     :: point, center a sphere large enough to reach the next closest ::
     :: point. Then the volume of the smallest such sphere is (very   ::
     :: close to) exponentially distributed with mean 120pi/3.  Thus  ::
     :: the radius cubed is exponential with mean 30. (The mean is    ::
     :: obtained by extensive simulation).  The 3DSPHERES test gener- ::
     :: ates 4000 such spheres 20 times.  Each min radius cubed leads ::
     :: to a uniform variable by means of 1-exp(-r^3/30.), then a     ::
     ::  KSTEST is done on the 20 p-values.                           ::
     :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
     :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
     ::      This is the SQEEZE test                                  ::
     ::  Random integers are floated to get uniforms on [0,1). Start- ::
     ::  ing with k=2^31=2147483647, the test finds j, the number of  ::
     ::  iterations necessary to reduce k to 1, using the reduction   ::
     ::  k=ceiling(k*U), with U provided by floating integers from    ::
     ::  the file being tested.  Such j's are found 100,000 times,    ::
     ::  then counts for the number of times j was <=6,7,...,47,>=48  ::
     ::  are used to provide a chi-square test for cell frequencies.  ::
     :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
     :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
     ::             The  OVERLAPPING SUMS test                        ::
     :: Integers are floated to get a sequence U(1),U(2),... of uni-  ::
     :: form [0,1) variables.  Then overlapping sums,                 ::
     ::   S(1)=U(1)+...+U(100), S2=U(2)+...+U(101),... are formed.    ::
     :: The S's are virtually normal with a certain covariance mat-   ::
     :: rix.  A linear transformation of the S's converts them to a   ::
     :: sequence of independent standard normals, which are converted ::
     :: to uniform variables for a KSTEST. The  p-values from ten     ::
     :: KSTESTs are given still another KSTEST.                       ::
     :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
     :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
     ::     This is the RUNS test.  It counts runs up, and runs down, ::
     :: in a sequence of uniform [0,1) variables, obtained by float-  ::
     :: ing the 32-bit integers in the specified file. This example   ::
     :: shows how runs are counted:  .123,.357,.789,.425,.224,.416,.95::
     :: contains an up-run of length 3, a down-run of length 2 and an ::
     :: up-run of (at least) 2, depending on the next values.  The    ::
     :: covariance matrices for the runs-up and runs-down are well    ::
     :: known, leading to chisquare tests for quadratic forms in the  ::
     :: weak inverses of the covariance matrices.  Runs are counted   ::
     :: for sequences of length 10,000.  This is done ten times. Then ::
     :: repeated.                                                     ::
     :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
     :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
     :: This is the CRAPS TEST. It plays 200,000 games of craps, finds::
     :: the number of wins and the number of throws necessary to end  ::
     :: each game.  The number of wins should be (very close to) a    ::
     :: normal with mean 200000p and variance 200000p(1-p), with      ::
     :: p=244/495.  Throws necessary to complete the game can vary    ::
     :: from 1 to infinity, but counts for all>21 are lumped with 21. ::
     :: A chi-square test is made on the no.-of-throws cell counts.   ::
     :: Each 32-bit integer from the test file provides the value for ::
     :: the throw of a die, by floating to [0,1), multiplying by 6    ::
     :: and taking 1 plus the integer part of the result.             ::
     :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
       NOTE: Most of the tests in DIEHARD return a p-value, which
       should be uniform on [0,1) if the input file contains truly
       independent random bits.   Those p-values are obtained by
       p=F(X), where F is the assumed distribution of the sample
       random variable X---often normal. But that assumed F is just
       an asymptotic approximation, for which the fit will be worst
       in the tails. Thus you should not be surprised with
       occasional p-values near 0 or 1, such as .0012 or .9983.
       When a bit stream really FAILS BIG, you will get p's of 0 or
       1 to six or more places.  By all means, do not, as a
       Statistician might, think that a p < .025 or p> .975 means
       that the RNG has "failed the test at the .05 level".  Such
       p's happen among the hundreds that DIEHARD produces, even
       with good RNG's.  So keep in mind that " p happens".

[Druzyek]

I ask another question for a better understanding of the requirements
1) do you need to update the OTP data without human interaction?
if yes -> 1a) how do you plan to synchronize the OTP data between the two microcontrollers since you have no secure channel and any circuit will never generate the same patterns?
if no -> 1b) why not generate the random data with a PC and a proven RNG algorithm ?

My plan was to let one of the microcontrollers work for several hours or days gathering bits and copying them to the SD cards then physically inserting the cards. I could use a PC but I liked the idea of trying to use real entropy.

Intentional manipulation for instance with jamming with a radio with known sequence forcing the "random noise from the ether" into that know sequence.

Hmm, that's a good point. Is it hard to shield from this?

To analyze random data you need to test for a lot of possible patterns in the datastream. Diehard takes Megabytes of data otherwise it cannot perform all the tests.

That is a lot of tests and some of them seem kind of off the wall! As I wrote in the first post, I have a list of 16 bit values I took from the hardware timer. Shouldn't I do von Neumann debiasing on those values to generate the megabytes of data Diehard needs? If you can tell me what is most likely to work (like ignoring bits 2-4 and only using bit 1) I will give it a try.

[Kjelt]

My plan was to let one of the microcontrollers work for several hours or days gathering bits and copying them to the SD cards then physically inserting the cards. I could use a PC but I liked the idea of trying to use real entropy.

But knowing that gathering real entropy is very very difficult you might end up with a worse random table then for instance let diehard with superduper generate it for you.

Hmm, that's a good point. Is it hard to shield from this?

If you shield from it you don't have any entropy also, so you need to analyze the "random" data dynamically for patterns and if you detect a pattern the micro should know it is being manipulated and should abort.

That is a lot of tests and some of them seem kind of off the wall!

Thats cryptographically secure random numbers for ya, they all have their purpose.

As I wrote in the first post, I have a list of 16 bit values I took from the hardware timer. Shouldn't I do von Neumann debiasing on those values to generate the megabytes of data Diehard needs? If you can tell me what is most likely to work (like ignoring bits 2-4 and only using bit 1) I will give it a try.

That is a lot of work, the way I did it was look at possible candidates (the obvious patterns you can see for yourself so ignore them) and select them one by one and let diehard analyze it. The best ones (none did pass all) can then be used.

Anyway if you use the classic OTP security by Xoring the plaintext data with the OTP data to get the ciphertext you can create the OTP table with a pc without problem.
Where you might get into trouble is if the tablepointers on both sides get out of sync so your protocol should take care of synchronizing the table entries, error correction on the ciphertext and error correction on the plaintext or use a hash of some kind.

[dannyf]

Measuring the phase nouse would be sufficient. I would just use the last bit and use multiple rounds for byte, word or dword types.

using a loop will work but a better idea is to use input capture in isr so it runs fully in the background.

[Druzyek]

If you shield from it you don't have any entropy also

Hmm, so does RF cause a lot of the entropy? I thought the physical properties of the resistors were mostly the cause.

That is a lot of work

You mean running all those tests? I am kind of curious about it now.

using a loop will work but a better idea is to use input capture

The main loop just does while(1) waiting for the interrupt to fire.

[T3sl4co1l]

If you shield from it you don't have any entropy also, so you need to analyze the "random" data dynamically for patterns and if you detect a pattern the micro should know it is being manipulated and should abort.

Intentionally introducing environmental noise is the worst possible thing you can do.  As soon as an attacker finds a stimulus that produces an interesting pattern, you're screwed.

Due to the noisy thresholds and thermal noise inherent to an RC oscillator, it is an equivalent method of generating physically random noise.  A chain of amplifiers (effectively measuring thermal noise of the first stage) or a zener noise generator (ruled out earlier due to the required voltage) would be equivalent, and probably higher bandwidth, sources.

Tim

[dannyf]

-test I took 1,000,000 readings and dumped them over Hyperterminal. Bit 0 (LSB) is always 1-

your code isn't working.

the basic approach is sound and likely can be simplified. The key is to look for just the lsb.

[dannyf]

I put this together quickly.

The random number generated is sent to PORTC and viewed via a DAC (the red trace). You can obviously reroute it to a uart to analyze on a pc.

The relaxation oscillator is basically your 555 timer.

[Kjelt]

Intentionally introducing environmental noise is the worst possible thing you can do.  As soon as an attacker finds a stimulus that produces an interesting pattern, you're screwed.

Absolutely, i was in error due to the fact that we were not allowed due to costs to shield the circuit, thus opening this loophole.

Hmm, so does RF cause a lot of the entropy? I thought the physical properties of the resistors were mostly the cause.

Yes you are right, if you are able to shield the circuit it should be fine, however I would never build such circuit commercially since removing the shield is an easy way of manipulating the RNG and thus reducing the cryptographically security to null. In your case where you onetime want to generate random data it should be fine, esp. since you can check the generated data for randomness before actually using it.

[T3sl4co1l]

Gee, attackers pulling shields, might as well put in a JTAG port for them too!  Why even bother!  Sky is falling!  Aahhhrrrrrggggghhhhh........

Point is not to make it impossible, because that is impossible, just to make it at least a little harder.  If they have to open it up, they can just as well short the output pin, or feed in their own source, or whatever.  You're then also open to side-channel attacks, power supply consumption, that sort of thing.

Tim

[Kjelt]

Sky is falling!  Aahhhrrrrrggggghhhhh........

Naaah Mercury is falling  (not a very good movie though) 

[Druzyek]

your code isn't working.

I tried putting the chip to sleep instead of while(1) and the problem disappeared. I think the code generated for while(1) takes an even number of cycles to run and it obviously won't jump to the isr in the middle of a multi-cycle instruction.

removing the shield is an easy way of manipulating the RNG

This is true but we can assume for this project that that won't happen. If they have access to that they will have access to the OTP cards as well which would be equally disastrous. Would a box made of double sided copper clad be enough shielding?

you can check the generated data for randomness before actually using it.

That is a good idea. How would you recommend I go doing about that? Diehard explicitly warns that it is meant to test algorithms and not just pieces of data.

Rather than trying to measure the pulse width f the 555 you need to run it much, much faster than your sampling rate

Hmmm, how would that be better? Essentially you are comparing a fast clock to a slow clock in both situations. What is the difference?

[Kjelt]

you can check the generated data for randomness before actually using it.

That is a good idea. How would you recommend I go doing about that? Diehard explicitly warns that it is meant to test algorithms and not just pieces of data.

It can test data but it should be fairly large, tens of MB's but since you are generating much more then that it would not be a problem. If you pass more then half of the diehard tests you have a reasonably good random sequence thus rnd generator, perhaps not cryptographically secure but good enough for your application. Only be sure to never ever use the same OTP sequence twice 

[dannyf]

-. I think the code generated for while(1) takes an even number of cycles to run-

that means the incoming signal from an rc oscillator always arrives on even counts on your timers.

the chance if that happening is less than your winning the lottery.

[Druzyek]

Thanks again for the comments.

@dannyf, if a jump instruction takes 4 cycles and the interrupt happens on the second, what would you expect to happen?