Newsgroups: sci.crypt
Path: cactus.org!milano!cs.utexas.edu!uunet!pipex!pavo.csi.cam.ac.uk!cam-cl!
+     rja14
From: rja14@cl.cam.ac.uk (Ross Anderson)

Subject: Re: Simple hardware RNG
Message-ID: <1992Oct24.103753.8032@infodev.cam.ac.uk>
Sender: news@infodev.cam.ac.uk (USENET news)
Nntp-Posting-Host: ely.cl.cam.ac.uk
Reply-To: rja14@cl.cam.ac.uk (Ross Anderson)
Organization: U of Cambridge, England
References: <1992Oct22.070717.28400@cs.aukuni.ac.nz> <5830006@hplsla.hp.com>
Date: Sat, 24 Oct 1992 10:37:53 GMT
Lines: 37

In article <5830006@hplsla.hp.com>, ericb@hplsla.hp.com (Eric Backus) writes: 

> Peter writes:
> >The following is a simple hardware noise generator which you can
> >throw together using junk box parts in about 10 minutes.  It's based
> >on thermal noise in a zener diode, and is powered by its own supply
> >to reduce the chance of noise from the computers supply being coupled
> >in.
> .
> Fundamentally, I think this idea works.  I have built a zener-diode
> noise source similar to this, that I then xor'ed into a hardware
> feedback-shift-register PRN generator.  The noise coming out of this
> appears to be quite random.

You have to be a bit careful here. The bitstream from the feedback shift
register will look random even if there is not a lot of noise coming out
of the zener, or if the entropy of the noise source is being killed by a
circuit resonance somewhere.

The Intel KEYPROM used a similar idea for an on-chip noise generator
which was used to generate random challenges. Instead of a zener, they
used the relative drift of three oscillators as the random source.

Earlier this year, we took a look at their test results and estimated
that this random source only contributed about one bit of noise per
fifty bits of output. The other forty-nine were just the shift register
sequence.

If you do use a shift register to condition the output of a generator, it
would seem prudent to do a linear equivalence test on the output - that is,
check that the linear complexity of n bits of output is about n/2.

There's no inherent reason why a zener-plus-shift-register design should
be bad, but there are a lot of things that can go subtly wrong with the
implementation, so testing is vital,

Ross Anderson