Infnoise

Infinite Noise TRNG (True Random Number Generator)

For instructions for compiling the and using Infinite Noise TRNG driver, go to the software sub-directory, and read the README file there. Both Linux and Windows are supported.

The Infinite Noise TRNG is a USB key hardware true random number generator. It uses what I call a "Modular Entropy Multiplier" architecture (previously Infinite Noise Multiplier or FireBug). Besides being simple, low-cost, and fast, it is much easier to get right than other TRNGs. It naturally defends against influence from outside signals, such as radio interference and power supply noise, making it simple to build securely, without requiring an expert in analog design. Modular entropy multipliers produce a provable and easily measured level of entropy based on thermal noise, approximately equal to log2(K) per output bit, where K is a gain between 1 and 2 set by two resistors around an op-amp. A "health monitor" can track this and verify that the output entropy is within the expected range, which for the Infinite Noise TRNG described below is within 2% of log2(1.82).

Modular entropy multipliers are suitable for both board level implementation and ASIC implementation. Speed is limited by the speed of a gain stage and a comparator, and can run in excess of 100 Mbit/second per second with high performance components. Cheap solutions with CMOS quad op-amps can run at 8Mbit/second.

Adjacent bits from a modular entropy multiplier are correlated, so whitening is required before use in cryptography. This should be done by continually reseeding a cryptographically secure hash function such as SHA-512, Blake2b, Keccak-1600 (SHA3), or a stream cipher such as ChaCha. This implementation uses Keccak-1600 with cryptographically secure reseeding of more than 400 bits of entropy at a time, overcoming a trickle in/out problem present in the GNU/Linux /dev/random system. Users who need many megabytes per second of data for use in cryptography can set the outputMultiplier as high as they like, which causes Keccak to generate outputMultiplier*256 bits per reseeding by the Infinite Noise TRNG.

The modular entropy multiplier architecture was invented by Peter Allan in 1999, which he called Firebug. I reinvented it in 2013. As usual, most of my good ideas are rediscoveries of existing ideas :-) Peter has his own version called the Redoubler, which is awesome. It really is the right way to generate random bits, whether on a board with standard parts, or on an custom chip.

Crowd Supply campaign

With the aid of crowdfunding, the Infinite Noise will soon be produced (again)! The campaign is driven by Manuel Domke, founder of a fresh electronics manufacturing company called 13-37.org electronics.

Check the Crowd Supply project page for latest updates

The Eagle open-source boards work!

Here is the first completed Infinite Noise USB key. I offered this model on Tindie to help get the modular entropy multiplier concept out there initially.

Here are the first three boards from OSH Park. They work exactly as predicted. They all generate 300,000 bits per second, resulting in a measured 259,000 bits of entropy per second, which is within 0.5% of the predicted value of log2(1.82).

All three boards should produce log2(1.82) = 0.864 bits of entropy per bit by design. The first one is estimated to produce 0.867, while the second one produces 0.868, and the third is 0.867.

Here is the latest schematic:

Here is the latest board layout (thanks, EagleWorks!):

The breadboard worked, too. Estimated entropy per bit is 0.81 for the bread-board. By design, it should be 0.80, so it is very close to the prediction. The breadboard proved out much of the theory of operation, as well os providing raw data for entropy testing.

Here is the voltage on one of the hold cap:

To build one of these for yourself, you can order three boards from OSH Park for only $3.25, and then buy parts from Digikey and Mouser as described in the BOM. I designed this board to be cheap, not easy to assemble by hand. I use 2 QFN parts and three with 0.5mm lead pitch. If you want to build these yourself the way I do, consider uploading the infnoise.brd file to OSH Stencils and ordering a solder paste stencil for $7. I get the solder paste from SparkFun. Kudos to OSH Park, OSH Stencil, SmallBatchAssembly, and DigiSpark! They're making this whole party possible!

The total for all the parts, including boards from OSH Park, come to $5.69 each, in 1,000 unit quantities. However, that cost is dominated by USB related parts, particularly the FT240X chip, the USB connector, and the USB-stick enclosure. Just the components for the modular entropy multiplier come out to $0.97.

Cor van Wandelen was kind enough to create these scatter plots showing the non-randomness in the raw output.

Here is a faster version that uses a more expensive op-amp from TI:

The Problem: Noise Sensitivity, and Signal Injection

True random number generators are very difficult to get right. Generally, they amplify a tiny noise signal, perhaps only a microvolt in amplitude, by a factor of millions or billions, until the signal is an unpredictable digital signal. This signal is then sampled to see if it's a 0 or 1.

The problem with this approach is the weak noise source can easily be influenced by other nearby signals, which may be under the control of an attacker, or perhaps observable by an attacker, enabling him to predict the output. Systems built with massive amplification of tiny noise sources often require power supply filters and EMI shielding, and even then remain difficult to prove secure. Generally, an expert analog designer is needed to get it right.

Intel's RDRAND instruction is a perfect example. It uses rapid amplification of thermal noise to determine the power-up state of a latch. Unfortunately, this source of entropy is highly power-supply and cross-talk sensitive. Intel claims to have carefully shielded their thermal noise source, but without a thorough pubic audit of both the design and layout, including all potential sources of interference, it is not possible to trust the RDRAND instruction as the source of entropy for cryptography.

With such strong sensitivity, these TRNG architectures are potential targets for signal injection by an attacker, who can cause the TRNG to generate his desired output rather than true random data.

The Solution: Modular Multiplication

Unpredictable noise sources are tiny, and must be massively amplified to be used by an TRNG. Other TRNG architectures amplify these signals until they saturate, becoming digital 1's and 0's. They rely on careful design and shielding to keep outside signals from influencing the noise source.

For example, if we amplify a tiny noise source by 1 billion in a system that saturates at 3.3V, then 1uV of noise will be amplified causing the output to be about 3.3V. An attacker need only introduce at least -1uV to cause the TRNG to saturate at 0V instead. An attacker with even this tiny influence can entirely control the output.

If TRNGs used modular multiplication to amplify their noise source, this noise sensitivity problem would go away.

If we multiply a 1uV peak by 1 billion modulo 3.3V, then the result will be about 0.3V, which will result in a digital 0. If an attacker subtracts 1uV, causing our noise source to be at 0.0V, then after amplification, the output is 0V, which still results in a 0. In fact, without knowing the current amplitude of the noise source, there is no signal an attacker can add to our noise source to control the output. He may be able to flip the output bit, but since it was already random, his signal injection fails to control the result, which is still random. In fact, an attacker's injected signal causes the output to be more random, since an attacker is a nice unpredictable source of entropy! Infinite Noise Multipliers add entropy from all noise sources, even those from an attacker.

Variations

There are currently 3 versions of Infinite Noise Multipliers documented here. The infnoise_small directory describes a low part-count design that works well with op-amps which have rail-to-rail inputs and outputs. It runs at 4MHz, outputting 0.86 bits worth of entropy on each clock (loop gain = 1.82), for a total of over 3.4 Mbit of entropy produced per second. The infnoise_fast directory contains a 50% faster design