Working on README

2014-09-28 05:39:20 -04:00
parent 3fe39631b7
commit 778d162f6f
7 changed files with 203 additions and 0 deletions
--- a/3
+++ b/3
@@ -2,3 +2,6 @@ all: infnoise
 infnoise: infnoise.c
 	gcc -Wall -std=c99 -O3 -m64 -march=native -o infnoise infnoise.c -lm
 clean:
 	rm -f infnoise
--- a/README.md
+++ b/README.md
@@ -0,0 +1,88 @@
 ##Infinite Noise Multiplier
 ![Schematic Infinite Noise Multiplier](infnoise_small/schematic.png?raw=true "Infinite
 Noise Multiplier")
 The Infinite Noise Multiplier is an architecture for true random number generators (TRNG).
 Besides being simple, low-cost, and fast, it is easy to get right, unlike other TRNGs.
 ### The Problem: Noise Sensitivity, and Signal Injection
 True random number generators are very difficult to get right.  Generally, they amplify a
 tiny noise signal, perhaps only a microvolt in amplitude, by a factor of millions or
 billions, until the signal is an unpredictable digital signal.  This signal is then
 sampled to see if it's a 0 or 1.
 The problem with this aproach is the weak noise source can easily be overridden by other
 nearby signals, which may be under the control of an attacker.  Power supply noise can
 cause zener diodes to avalanche with predictable timing.  Thermal noise can be overridden
 by nearby radio sources, such as EMI from a CPU.  Oscillator drift can be controlled
 through syncrhonous power-supply noise.  Jitter can be controlled through cross-talk and
 power rail droop.  On ICs, substrate currents can override thermal noise.  Cross talk
 strong enough to override these tiny sources of noise can be introduced through radio
 waves, inductive coupling, capacitive coupling, or even "microphonics", due to physical
 vibrations in the system.  These circuits are sometimes even light sensitive.
 Systems built with massive amplification of tiny noise sources often require power supply
 filters, EMI shielding, and even light shielding, and even then remain difficult to prove
 secure.  Such systems can be difficult to audit, because their signal traces are
 inaccessible behind layers of shields.
 Intel's RDRAND instruction is a perfect example.  It uses massive amplification of thermal
 noise to determine the power-up state of a latch.  Unfortunately, this source of entropy
 is highly power-supply, cross-talk, and substrate current sensitive.  Intel claims to have
 carefully shielded their thermal noise source, but without a thorough pubic audit of both
 the design and layout, including all potential sources of interference, it is not possible
 to trust the RDRAND instruction as the source of entropy for cryptography.
 With such strong sensitivity, these TRNG architectures are potential targets for signal
 injection by an attacker, who can cause the TRNG to generate his desired output rather
 than true random data.
 ### The Solution: Modular Multiplication
 Unpredictable noise sources are tiny, and must be massively amplified to be used by an
 TRNG.  Other TRNG architectures amplify these signals until they saturate, becoming
 digital 1's and 0's.  They rely on careful design and shielding to keep outside signals
 from influencing the noise source.
 For example, if we amplify a tiny noise source by 1 billion in a system that saturates at
 3.3V, then 1uV of noise will be amplified causing the output to be about 3.3V.  An
 attacker need only introduce at least -1uV to cause the TRNG to saturate at 0V instead.
 An attacker even this tiny influence over the noise source can entirely control the
 output.
 This is the wrong aproach.  Instead, TRNGs should use modular multiplication to amplify
 their noise source, because modular multiplication never saturates.
 If we multiply a 1uV peak by 1 billion modulo 3.3V, then the result will be about 0.3V,
 which will result in a ditital 0.  If an attacker subtracts 1uV, causing our noise source
 to be at 0.0V, then after amplification, the output is 0V, which still results in a 0.  In
 fact, without knowing the current amplituded of the noise source, there is no signal an
 attacker can add to our noise source that will result in a desired output.  He may be able
 to flip the output bit, but since it was already random, his signal injection fails to
 control the result, which is still random.  In fact, an attacker's injected signal causes
 the output to be *more* random, since an attacker is a nice unpredictable source of
 entropy!  Infinite Noise Multipliers *add* entropy from all noise sources, even those from
 an attacker.
 ### Variations
 There are currently 3 versions of Infinite Noise Multipliers documented here.  The
 infnoise_small directory describes a low part-count design that works well with op-amps
 which have rail-to-rail inputs and outputs.  The infnoise_fast directory contains a faster
 design that uses a few more resistors and an additional op-amp.  This design is suitable
 for use with a wide range of op-amps.
 Because Infinite Noise Mulitpliers are switched-capacitor circuits, it is important to use
 components with low leakage.  Op-amps with below 1nA of input bias current will enable
 running at lower frequencies with less power.
 There is also a [CMOS version described here][infnoise_cmos/RNG].
 ### Free As in Freedom
 I, Bill Cox, came up with The Infinite Noise Multiplier architecture in 2013.  I hereby
 renounce any claim to copyright and patent rigts related to this architecture.  I'm giving
 it away emphatically freely.  Furthermore, I am aware of no infringing patents and believe
 there are none.  It should be entirely safe for use in any application.
--- a/infnoise_cmos/RNG.html
+++ b/infnoise_cmos/RNG.html
@@ -0,0 +1,112 @@
 <html><head>
 <meta http-equiv="content-type" content="text/html; charset=windows-1252"></head><body><h1>The Infinite Noise Multiplier</h1>
 <p>This design is an "Infinite Noise Multiplier", a hardware true random number
 generator.  The name was inspired by my daughter, who is a never ending source
 of randomness.</p>
 <p>The idea is simple: there is noise in every system.  All you have to do is
 amplify it.  This switched-cap circuit has a voltage V, which it multiplies by
 2 every cycle.  If V is greater than Vref/2, then it subtracts Vref/2, thus
 keeping V between 0 and Vref/2.  The truly random output bit is just the output
 of the comparator between V and Vref/2. </p>
 <p>This is best understood digitally.  If you have a random value between 0 and
 1, say .1001110110001, then this circuit would multiply by 2, getting
 1.001110110001X, where X is some new random noise.  It would subtract out 1
 because the value is &gt; 1, and if X is 0, we get: 0.0011101100010.  Continuing
 this process, we shift out the bits one at a time, while noise creates random
 data in the least significant bits.  The circiut is insensitive to non-random
 signal injection.  If you add a non-random signal to the value, you get
 different, but still random bits shifting out.</p>
 <p>There is a bit more to it than this.  The voltage followers can only drive
 down to about 0.1V, which is good, because it creates a voltage to start
 multiplying.  The multiplier only multiplies by about 1.8 instead of 2, which
 is also good, for keeping the voltage from running away.  We subtract slightly
 less than Vref/2 so that V is always between about .2V and Vref/2V.  The
 voltage followers introduce significant distortion and voltage offset.  All
 this results in non-perfect random output.  From SPICE simulations it seems
 that there may be a 25-ish% correlation between bits (this requires more
 analysis), and a 10-ish% bias for more 1's than 0's.  To get high quality random
 data out, I have to XOR many of these partially random bits together.  Here is
 the math to support this approach:</p>
 <p>Let b represent the maximum amplitude of a bias/correlation function between
 bits so that the probability of an attacker guessing correctly an output bit
 knowing all the surrounding bits is no higher than 0.5 + b.  As I XOR these
 bits together, the probability of being able to guess the bit drops.  Call the
 max amplitude of the bias/correlation when XORing n bits together B(n).  Let
 P(n) be the probability of an attacker correctly guessing the output bit with
 n bits XORed together.  Then: </p>
 <p>
 P(n+1) = (.5 + b)(.5 + B(n)) + (.5 - b)(.5 - B(n)<br>
 P(n+1) = .5 + 2*b*B(n)<br>
 B(n+1) = 2*b*B(n)<br>
 B(n) = (2*b)^n*b<br>
 </p>
 <p>I am XORing 80 bits together.  With b = .25, B(80) = 2e-25, which should be more than
 adequate for any crypto purposes.  However, I still recommend that the output of this RNG
 be further randomized with a cryptographically strong pseudo random number generators or
 hash function, just to be sure.</p>
 <p>I am implementing this design on a tiny .35u mixed-signal IC.  It occupies
 about 0.04 mm^2, and runs at 8MHz in SPICE simulations.  25 fit per mm^2, cnd
 each consumes about a milliwatt.  Each outputs 8Mbit/sec, but XORing 80 bits
 together reduces it to 100Kbit/sec.  Per mm^2, it should generate 2.5Mbit/sec
 of crypto ready random bits.  This is a very low power process.  In a high
 speed process, it should be possible to run at 100MHz instead of 8MHz, and the
 circuit should shrink dramatically.</p>
 <p>Here are my awful hand-drawn schematics.  The first schematic shows that on
 phase 1 we sample the voltage from the previous cycle, and store it on two hold
 capacitors in parallel.  An NMOS transistor is used as a switch from the buffer
 of the previous stage.  During phase 2, we use three more NMOS switches to
 stack the two capacitors, which in an ideal world would multiply the voltage by
 2, but because of parasitics, it only does about 1.8.  The output of the
 stacked capacitors feeds through a voltage-follower buffer into the next stage.
 Here there are two switchies: one to feed another hold capacitor during phase 2,
 and another to feed an almost identical hold capacitor also in phase 2.  The
 first hold capacitor feeds the positive terminal of a comparator, while Vref/2
 feeds the negative.  This is a clocked comparator that compares its inputs on
 the start of phase 1.  If the held voltage is greater than Vref/2, the
 comparator subtracts a charge from the other hold capacitor that causes its
 voltage to drop ideally by Vref/2.  Due to parasitics it's somewhat less than
 this.  This second hold capacitor where the subtraction occurs then feeds into
 another voltage follwer buffer, which loops back to where we started, so the
 process can repeat.  The voltage follower schematic is also shown, and is
 simply 4 mosfets: two for current sources and a matched diff pair.  It is a
 standard source-coupled voltage follower.  Vref/2 is generated with a simple
 resistor divider.  The two phases of the clock are generated with back-to-back
 NOR gates, which is also standard.  The clocked comparator is a standard
 circuit as well, which is based on two inverters feeding back on each other,
 with some mosfets to reset the inverter outputs to 1 when the input clock is
 high, and when it goes low, the inverters are connected, and will flip one way
 or the other.  Two mosfets driven by the input voltages cause one side or the
 other to win.  The bias voltage generator for the buffers current sources is
 also shown, which is a resistor feeding into a mirror.</p>
 <img src="RNG_files/schem1.png" alt="schematic 1">
 <img src="RNG_files/schem2.png" alt="schematic 2">
 <img src="RNG_files/schem3.png" alt="schematic 3">
 <p>Here is a simulation of 80 clock cycles, showing typical random data that
 would be XORed together to generate one output bit.  The random output is Q.
 The bottom signal is a 1MHz sine wave which is coupled into the hold
 cap after buffer1 through a capacitor 10% as large as the hold capacitor.  The
 point is to show that non-random sources of noise do not cause the output to be
 less random.  This circuit is highly insensitive to external signals.</p>
 <img src="RNG_files/RNG5.png" alt="SPICE simulation">
 <p>The main sources of noise in this circuit are primarily shot noise and
 thermal noise.  Shot noise is generated every time an electron is accelerated
 through the input transistors of the voltage followers.  Thermal noise is
 generated in the bias current resistor.  However, the source of noise in the
 SPICE simulation is the numerical errors in the simulator, which dominate over
 the quieter shot and thermal noise.  The actual source of noise should not make
 any differece.  Every analog signal has noise.  It simply has to be amplified
 for us to use it.</p>
 </body></html>
--- a/infnoise_cmos/RNG5.png
+++ b/infnoise_cmos/RNG5.png
--- a/infnoise_cmos/schem1.png
+++ b/infnoise_cmos/schem1.png
--- a/infnoise_cmos/schem2.png
+++ b/infnoise_cmos/schem2.png
--- a/infnoise_cmos/schem3.png
+++ b/infnoise_cmos/schem3.png