Why build a TRNG?


Your privacy and free speech

Free speech bubble We all cherish the ability to talk to one another in private. It’s a major component of civilised democracy. Many people have dedicated themselves to ensuring that we can say what we want, to whom ever we want, without somebody listening in and monitoring us. Some may be exchanging trivia, but others might be whistle-blowing or performing serious journalism in oppressive societies. We do this via cryptography, which consumes random numbers at a great rate. And the quality (randomness) of those numbers is paramount in guaranteeing the robustness of the cryptographic scheme we use. Whether it’s an AES cipher or the humble one time pad (OTP), random numbers of the highest quality are necessary to generate secret key /nonce material. Otherwise the encryption might be broken. The trouble is that it’s well neigh impossible for a deterministic device like a computer to create true randomness. And encryption schemes built upon one time pads can eat through thousands of bytes of entropy.

Of course most of us have access to pseudo random numbers from our computers. Most computers have either a /dev/urandom stream or use of the CryptGenRandom /BcryptGenRandom APIs. But those are not truly random. They come from algorithms, and no matter their complexity or ingenuity, the output of an algorithm will always be deterministic and therefore ultimately predicable. This may be suitable for some people, some of the time. Maximum security, randomness aficionados and tin foil hat wearing types require truly random numbers. And if your interests or needs revolve around one time pads, by definition there is no alternative but a true random number generator (TRNG). It’s like the difference between a blend and malt whiskey, only more so. So a solution is to buy a commercial device, of which there are many. They range from entry level USB flash drive packaged ones, all the way to top of the range TRNGs built around lasers. There are even laboratory TRNGs that extract entropy from quantum vacuum or photon interference at rates of 300Gbits/s.

Finally, only by everyone(!) building personal TRNGs with their own interpretation of how it should be done, can we avoid ennui and cryptographic mono culturism. Look to the 1840’s Irish or 1930’s Dust Bowl farmers why mono culture is a terrible idea.

Checking your random numbers

Magnifying glass icon representing inspection of something The whole issue is complicated by the fact that it is almost impossible to prove a sequence of numbers you’re given is truly random. It may be uniformly distributed and pass all appropriate randomness tests like Dieharder, yet still be entirely predictable. The decimal expansions of the irrationals $ \pi $ , $ \sqrt{2} $ and $ e $ are widely regarded as being entirely random, but are calculable and therefore predicable. Yet these constants pass all randomness tests, and indeed are used as test data sets to verify some of the tests themselves (like NIST SP 800-22). They are not truly random though. The entirety of $ \pi $ can be expressed with a Kolmogorov complexity of just the following few mathematical symbols:-

$$ \pi = \sum_{n=0}^{\infty} \left( \frac{4}{8n+1} - \frac{2}{8n+4} - \frac{1}{8n+5} - \frac{1}{8n+6} \right) \left( \frac{1}{16} \right)^n $$

And similarly 1GB of perfectly random looking data can actually consist of only three lines of Java as:-

SecureRandom random = SecureRandom();
byte numbers[] = new byte[1_000_000_000];

Even if you believe that /dev/random is truly so, it blocks and is terribly slow. Certainly insufficient for much one time pad material, so if that is your need you’ll have to go to the market. There are many ready built commercial devices that might be considered for your TRNG, but be warned. How do you know (verifiably) that the number sequence being produced is not predictable by any state actor or otherwise? Can they be audited and proven secure cryptographically? Just what exactly is inside those packages of black epoxy and ceramic? Consider the three following examples of typical commercial TRNGs:-

ID Quantique's TRNG as a PCIe card

ID Quantique PCIe card

TrueRNG USB sized device

TrueRNG USB device

Intel’s i5 microprocessor featuring the RDRAND instruction

Intel’s i5 featuring RDRAND

We have a printed circuit board with a shielded enclosure and closed source FPGA, a sealed USB device and a preeety complex microprocessor. All purport to produce true random numbers of the highest quality, and at (perhaps unbelievably) high rates. We therefore issue the following challenge:-

Prove that the output from any black box TRNG is not just a version of:-

$$ AES_{(K \; \oplus \; cpuid)} (CTR) $$

where $ K $ = secret agency’s key, $ cpuid $ = the id of the microprocessor and $ CTR $ is some counter and/or timer.

Tamper resistance which is vigorously marketed as a positive feature of these devices, becomes counter productive in terms of verifiability and independent audit. We are left with no option but to trust the manufacturer’s brand and integrity. What can a user do otherwise? Forcing open a hardware device risks damaging it, and anyway all of the important operations are soft ones in code embedded within very highly integrated chips. The Core i* processors are a case in point. Even if the die was exposed, a contemporary microprocessor is a multilayered silicon fabrication. It is technically impossible to identify the parts of the architecture responsible for implementing RDRAND instructions, never mind reverse engineering it for operational confirmation. Unfortunately for transparency, such a need for trust then collides with realpolitik.

Similarly the main cryptographic primitives and by extension pseudo random number generators (PRNGs), can be verified by comparing their outputs against standard test vectors. No such standard output is possible for a TRNG. The only tests possible are stochastic, and the user is back to the $ \pi $ and $ e $ situation.

Threats to randomness

Mysterious 3 letter agency icon For the avoidance of doubt, we are not concerned (at least for this discussion) with global thermonuclear war, electromagnetic pulse weapons or a 007 type agent hiding in your wardrobe. Those are not the cryptographic threats we will be dwelling upon. We are however concerned with soft threats that have surfaced since America’s 911 attacks, the subsequent war on terror and recent revelations as to the involvement of the security services with many aspects of cryptography and information security.

Glenn Greenwald’s No Place to Hide recently serialised in Britain’s Guardian newspaper, alleges that both Chinese and American security services routinely intercept and tamper with computer communications equipment bound for overseas customers. He cites an example of the National Security Agency’s Tailored Access Operations unit implanting “call home beacons” in routers. SSH or VPN keys or CSPRNG seeds could also be sent. Re-interpreting the general media’s poor grasp of technology, it’s probably the firmware that is re-flashed and then the routers continue on their way.

The cryptography commentator Bruce Schneier iseems to believe that the NSA can break most encryption used routinely on the Internet. With recent announcements that the NSA is moving away from (Suite B) elliptic curve cryptography, there are those in the security community that believe the agency has made progress with the discrete logarithm problem. Similar advances have been made previously by the NSA and kept secret, such as differential cryptanalysis. Or the agency is nudging users towards standardisation of post quantum cryptography with which they might have some advantage in cryptographic analysis. Presumably standardisation of the form they previously tried with the Dual EC-DRBG debacle. The openly secret NOBUS (No Body But Us) policy dictates that it’s okay for everyone to use weakened encryption as long as the US in the only actor able to exploit it. An example of Pax Americana? And the NSA’s Bullrun decryption programme is entirely focused on decryption of on line communications, as is GCHQ’s Edgehill, Bullrun’s little brother. We can only wonder whether it is pure coincidence or a cruel taunt that the NSA mass decryption programme and Intel’s on-chip TRNG share the same name. Has it been the victim of a tactical signals intelligence operation? Or is Intel a recipient of a National Security Letter mandating certain adjustments to the quality of their entropy generator? What about the Broadcom TRNG within the Raspberry Pi single board computer? The underlying hardware implementations for it and Intel’s RDRAND are poorly documented in the literature, bordering on a degree of ambiguity that might be called obfuscation. And as shown, entirely unverifiable by end users. Perhaps some sort of Uber ring oscillators running at GSamples /second? Gigabit TRNGs only appeared recently in academic research labs and they all use optical methods. Use them at your own risk.

And somewhat speculatively the DUHK vulnerability within the US certified ANSI X9.31 based PRNG may have initially begun as a NOBUS vulnerability. The construction is over 30 years old, and it is entirely feasible (with no particular evidence other than cynicism and psychosis) that the fixed key issue was known or suspected a long time ago. We could go on.

But there are other threats too, coming out of our legislatures. The UK’s Home Secretary, Amber Rudd has publicly called for outlawing end to end encryption be it technically possible or not. Those who follow politics will realise that (impossible) technical issues are no bar to proposed legislation. Similarly, Senator Dianne Feinstein is currently trying to relaunch her decrypt-it-on-demand bill. Both seem to champion Joseph Goebbels’ “You have nothing to fear, if you have nothing to hide” argument. The problem is with attitudes and over-reaching legislation exemplified by Cardinal Richelieus who said “If you give me six lines written by the hand of the most honest of men, I will find something in them which will hang him.” WhatsApp, Allo and the Signal protocol should be concerned. If companies do get banned from distributing strong encryption products, the people will be left to their own devices. Perhaps quite literally in the case of scratch built TRNGs.

We could be accused of having a warped perception of reality. Of being too absorbed with conspiracies and the faked moon landings. Perhaps, but Freedom House recently found:-

“Seventy-one countries suffered net declines in political rights and civil liberties, with only 35 registering gains. This marked the 12th consecutive year of decline in global freedom. China and Russia expand their antidemocratic influence. A confident Chinese president Xi Jinping recently proclaimed that China is “blazing a new trail” for developing countries to follow. It is a path that includes politicized courts, intolerance for dissent, and predetermined elections. The past year brought further, faster erosion of America’s own democratic standards than at any other time in memory, damaging its international credibility as a champion of good governance and human rights.”

And there’s that mischievous Snowden chap with his surprising revelations. Perhaps it’s not just us then. Quoting a recent manufacturer of quantum TRNGs, “Random numbers are too important to be left to chance.”

The solution – DIY TRNGs

The simplest Zener diode TRNG circuit diagram If you can’t verify the randomness of a commercial TRNG, the amateur cryptographer is left with little choice but to acquire something that can be exhaustively tested beyond all reasonable doubt. That means building a TRNG yourself.

The psychiatrist Fritz Perls said that the only way to truly believe something is to find it out for oneself. If you’ve built a TRNG from simple, discrete off the shelf parts, you’ll have full transparency. And the confidence that it cannot have been sabotaged by outside actors. It’s unfeasible to believe that voltage regulators, resistors and diodes might have been intercepted in mid shipment and ‘enhanced’ for nefarious purposes. And most importantly, your TRNG can be easily tested with some basic electronics knowledge and tools. With regard to tools and equipment, it is possible to build and test your TRNG with nothing other than the microcontroller being used for the entropy capture. Test equipment in the form of a multimeter or oscilloscope is only required for debugging the circuitry if there are problems. Or for further experimentation which we strongly encourage. After all, diversity is the anthesis of mono culture.

There is also a downstream concept of the OTP, beyond mere circuitry but crucially important. The lure of a OTP’s perfect secrecy is complemented by it being one of the few cryptographically secure ciphers than can be easily verified by hand. AES GCM may be efficient if you’re made of silicon and sprockets, but it’s hard to verify your human implementation. The SIGNAL protocol even more so. 3rd party cryptanalysis and code review helps, but it’s impossible to eliminate all zero day exploits by their very nature. And you might just write bad code. Hence one of the main requirements for lots of truly random numbers is pad generation.

Self built TRNGs are the only sane choice for all of the above reasons.