Timeline for Extracting randomness from highly-biased RNG
Current License: CC BY-SA 3.0
20 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| Jun 27, 2017 at 8:31 | comment | added | Kesha | @Paul Uszak I collected the first 1024 bits of SRAM 1 million times and then run some statistical tests including NIST test from SP 800-90b. | |
| Jun 26, 2017 at 22:35 | comment | added | Nick T | Bear in mind that using SRAM as a RNG source is not necessarily reliable. One paper found that the STMicro STM32F100R8 SRAM can provide a good seed, but the Microchip PIC16F1825 can't. An anecdote mentioned that the Atmel ATmega1284P also provides minimal entropy (6 bits from 16K SRAM). In either case, I doubt the manufacturer is going to guarantee such performance batch-to-batch; they might change their process without notice. | |
| Jun 26, 2017 at 15:39 | comment | added | Paul Uszak | As a personal interest, how did you establish 3 /1024? | |
| Jun 26, 2017 at 14:31 | history | tweeted | twitter.com/StackCrypto/status/879346400873635841 | ||
| Jun 26, 2017 at 13:08 | answer | added | Paul Uszak | timeline score: 4 | |
| Jun 26, 2017 at 13:04 | vote | accept | Kesha | ||
| Jun 26, 2017 at 12:39 | comment | added | Kesha | @Paul Uszak Yep, it has something like 60 Kbytes of SRAM. | |
| Jun 26, 2017 at 12:25 | comment | added | Paul Uszak | Can we assume therefore that your device has at least 5641 bytes of SRAM? And how much RAM is available for seed generation related code? | |
| Jun 26, 2017 at 11:17 | comment | added | Kesha | @daniel It is taken from uninitialized SRAM, see link | |
| Jun 26, 2017 at 11:15 | comment | added | daniel | Static random access memory? That doesn't seem like a very autidable source of entropy since you'd need to know everything about the software running the RAM. | |
| Jun 26, 2017 at 11:08 | history | edited | Kesha | CC BY-SA 3.0 | Distribution added, formula fixed. |
| Jun 26, 2017 at 11:05 | comment | added | tylo | @daniel Please re-read the question. It is exactly stated like that. | |
| Jun 26, 2017 at 11:03 | comment | added | daniel | He said its an entropy source, its a pretty crummy entropy source if it is as you describe. | |
| Jun 26, 2017 at 11:01 | comment | added | tylo | @daniel No, it's not fine. $3$ bit of entropy over $1024$ bit strings does not say anything about how those bits are distributed, which bits are independent or if some parts of those strings are actually just constant. And using that kind of knowledge in an attack is not something only an agancy could do - but anyone with some basic knwoledge in cryptanalysis. | |
| Jun 26, 2017 at 10:57 | comment | added | daniel | @tylo i thought its fine as long as you feed it correctly "so long as each bit has the same probability of being one and there is no correlation between successive bits" A Von Neumann extractor might not be the most efficient, but should be simple enough that you can see when the NSA messes with your implementation. | |
| Jun 26, 2017 at 10:27 | answer | added | fgrieu♦ | timeline score: 13 | |
| Jun 26, 2017 at 9:22 | comment | added | tylo | Be careful with the keyword randomness extractor. Not all of them are suitable for cryptographhic use. Especially if you don't know how your entropy is spread over all those bits, simple binary operations are quite likely to be insecure. | |
| Jun 26, 2017 at 9:09 | comment | added | daniel | I'd say use this! or some other randomness extractor: en.wikipedia.org/wiki/… | |
| Jun 26, 2017 at 8:31 | review | First posts | |||
| Jun 26, 2017 at 12:16 | |||||
| Jun 26, 2017 at 8:26 | history | asked | Kesha | CC BY-SA 3.0 |