From rosing@neurophys.wisc.edu Mon Jul 7 16:04:23 PDT 1997 Article: 69323 of sci.crypt Path: agate!howland.erols.net!news.mathworks.com!chi-news.cic.net!newsspool.doit.wisc.edu!news.doit.wisc.edu!news From: Medical Electronics Lab Newsgroups: sci.crypt,comp.arch.embedded Subject: Re: Hardware random number generator! Date: Thu, 03 Jul 1997 12:04:55 -0500 Organization: Dept. Neurophysiology, U. Wisconsin Lines: 54 Message-ID: <33BBDBB7.470C@neurophys.wisc.edu> References: <33B209D9.6392@lightning.ch> <33B4A0CB.13C@concentric.net> <33b907dd.1723097@ntserv02> <33ba253a.74228705@news.netcomuk.co.uk> <33BB4857.6C91@pcm.bosch.de> NNTP-Posting-Host: pcaf.neurophys.wisc.edu Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Mailer: Mozilla 2.02 (WinNT; I) Xref: agate sci.crypt:69323 comp.arch.embedded:23208 Stefan Schuett wrote: > > Peter wrote: > > > > I think the approach is identical to using a radiation source. You > > time the delay from the last 1 to the one before it. If longer than > > previous, you take that as a 1; if shorter than previous, you take it > > as a 0. That way, the distribution of the source doesn't matter. You > > get a perfect 50/50 distribution of 1s and 0s. > > > > But you need to be careful that your timer (or whatever) which you use > > to dintinguish between the periods has a high enough resolution, > > otherwise there could be a bias. > > althoug you get a perfect 50/50 distribution I doubt whether this is a > good random number generator. The decision for a 1 or a 0 depends on the > length of the previous interval and so the probability of a 0 following > a 1 is larger than the probability of a 1 following a 1, if I see it > right. Because if you had a delay that was longer than the average you > will probably get a 1. Since it is more probably for the following delay > to be shorter it will also be more probable to get a 0 than to get a 1 > after having had a 1. > > Wouldn't it be better to measure the length of each delay e.g. in > microseconds. If the number of microseconds is even decide for a 1 > otherwise decide for a 0. So each 1 or 0 would really be independent > from the previous one. I was playing with a radiation source from a smoke alarm for use as a random bit generator. Rather than use a timer, I looked at the voltage coming off the ionization chamber. The fluctuations were created by the ions drifting to the walls, but the overall voltage was flat. By eliminating the DC and just looking at the voltage it was obvious that + and - voltages varied at the decay rate, but the exact times of a decay were "random". I tried to amplify the signal past saturation to be read by an RS-232 line, but the connection to the computer appeared to DC bias the results. What it really needs is an A/D converter and some processing to ensure that the DC bias has been completely removed and to collect "pure" random bits. But it will have to wait till a few other projects get finished :-) Another item missing from the discussion is the difference between 'white' distributions and real ones. A real noise source has an inverse frequency relationship: the amount of energy falls off exponentially as you go from low frequencies to higher frequencies. For crypto, the lowest frequency corresponds to the length of the message and the highest to a single bit. A crypto random source requires that the frequency distribution be flat across the entire message. Converting from a real noise source to a crypto useful one should be done carefully. Patience, persistence, truth, Dr. mike