John Larkin wrote:

On Sun, 24 Oct 2010 11:21:04 -0500, Vladimir Vassilevsky
wrote:
John Larkin wrote:



There are lots of digital chips, including some Intel processors, that
have cryptographic-grade random number generators on-chip.

One of the main features of the cryptography grade RNG is the self test
subsystem that continuously monitors that 1) RNG is in the good health
2) RNG had not been tampered with. If there is no such subsystem, the
RNG is consumer or amateur grade, not cryptography grade.


One common
technique is to use a bunch of asynchronous ring oscillators to
scramble pseudo-random shift registers. Lots of references on the web.

Just to remember that a deterministic function over the random number
don't add to the randomness. So the output hash should not generate more
of the scrambled bits then the true entropy of the random source.

Post-hashing can remove any 1/0 (DC) bias and remove other
autocorrelations as a physical source tends to have. Do all that a
dozen times, as you can in an FPGA, and things get pretty good.

Yes, the post processing obfuscates the obvious dependencies, but it
can't generate more of the entropy then the entropy of the source.

Things are more interesting if you XOR *into* a pseudo-random shift
register, instead of merely with the output of one.

Again, you can't make more randomness by mixing random states with
deterministic states. Although this procedure adds some "salt" to the
common PRNG.

I have a technique that uses an i/o pin as a noisy/chaotic RC ramp
generator. Fun, but essentially useless.

I used to measure the timing of self charge/discharge of the uncommited
MCU input to set up the seed for the PRNG for the rolling code.

Similar idea, but I would keep using it. Hanging a cap on the pin
helps. If the discharge time is short and is itself a function of
random values, the combination of discharge time feedback, threshold
uncertainty, dielectric absorption, and cap TC (use a really bad cap)
add to the fun.

VLV