Good sources of entropy (noise) are an essential part of modern cryptographic systems. I designed a mobile-friendly avalanche noise generator as part of the background work I’ve been doing for the betrusted project (more on that project later). I had to do a new design because the existing open-source ones I could find were too large and power hungry to integrate into a mobile device. I also found it hard to find solid theory pieces on avalanche noise generators, so in the process of researching this I wrote up all my notes in case someone needs to do a ground-up redesign of the system again in the future.
Here’s an excerpt from the notes:
Avalanche breakdown is essentially a miniature particle accelerator, where electrons that enter a PN junction’s depletion region (through mechanisms that include thermal noise) are accelerated across an electrical field, to the point where new electron-hole pairs are generated when these high-energy electrons collide with atoms in the depletion region, creating an amplification cascade with low reproducibility.
An approximate analogy is an inflatable pool filled with water. The height of the pool is the potential barrier of the reverse-biased PN junction. A hose feeding water into the pool represents a constant current of electrons. The volume of the pool can be thought of as the depletion capacitance, that is, the capacitor created by the region of the junction that is void of carriers due to natural drift and diffusion effects. As water trickles into the pool, the water level rises and eventually forms a meniscus. Random disturbances, such as ripples on the surface due to wind, eventually cause the meniscus to crest over the edge of the pool. The water flowing over the edge pushes down on the inflatable pool’s side, causing more water to flow, until the level has reduced to a point where the inflatable pool’s side can snap back into its original shape, thus restarting the cycle of filling, cresting, and breakdown. The unpredictability of when and where the breakdown might happen, and how much water flows out during the event, is analogous to the entropy generated by the avalanche effect in a PN junction.
The electrical characteristic of avalanche noise biased by a constant current source is a “sawtooth” waveform: a linear ramp up in voltage as the capacitance of the depletion region charges to the point where the electric field becomes large enough to initiate the cascade, and then a sharp drop off in voltage as the cascade rapidly discharges the junction capacitance. The cascade then abruptly halts once the field is no longer strong enough to sustain the cascade effect, leading to a subsequent cycle of charging and breakdown.
The site also includes detailed schematics and measurement results, such as this one.
The final optimized design takes <1cm^2 area and draws 520uA at 3.3V when active and 12uA in standby (mostly 1.8V LDO leakage for the output stage, included in the measurement but normally provided by the system), and it passes preliminary functional tests from 2.8-4.4V and 0-80C. The output levels target a 0-1V swing, meant to be sampled using an on-chip ADC from a companion MCU, but one could add a comparator and turn it into a digital-compatible bitstream I suppose. I opted to use an actual diode instead of a NPN B-E junction, because the noise quality is empirically better and anecdotes on the Internet claim the NPN B-E junctions fail over time when operated as noise sources. I’ll probably go through another iteration of tweaking before final integration, but afaik this is the smallest, lowest power open-source avalanche noise generator to date (slightly smaller than this one).
I sell an open source random number generator (OneRNG) one thing that improves the result is to mix data that’s been sampled apart in time (mostly I think because some avalanches are quite large so force the output over multiple consecutive samples). I do something q
Sorry stupid phone …. I do something quite simple, take 8 samples as a byte, then 8 more, the xor the two bytes together … That mixes data that’s temporarily seperated. Even after that you still need some software whitening, running stuff through AES with a random key is a great way to do this (only use your AES hardware if you really trust it
I’ve got one of Paul’s RNGs and they’re a good-quality product, well thought out and built. Just wanted to add this comment to point out that this isn’t generic blog spam but a pointer to a useful piece of hardware.
Thanks, mostly I was trying to pass on my experience in an esoteric corner of open source hardware :-) this way hopefully this information becomes a little more available for others in the future, we have lots of ways to pass on big ideas, but no general ways to pass on small things
Oh, one other thing if you’re sampling the signal that Bunnies is showing above into a digital input, you need to pick a sampling point, you either build an analogue comparator or simply feed it directly into a gpio on a CPU (or a clocked something like an SPI). If you do the latter you need to deal with tweaking the signal levels to match the sampling voltages of the gpio’s input to get roughly 50% 1s/0s.
Whatever you do you need to deal with metastability, there’s two issues here, sampling something that’s changing and randomly getting values if you sample in a particular range of voltages, or if the change is happening just as the clock happens is not actually a bad thing in a random number generator. But the really bad sort of metastability where flops oscillate internally at ghzish sorts of rates, suck extreme power and ‘infect’ the rest of the chip is something to avoid, you need to make sure your input sampling path has multiple high-gain anti-metastability flops, and may be sacrifice a few goats
[…] Avalanche Noise Generator Notes. […]
I designed something similar but with a better way to bias the circuit that eliminates the need for an ADC and most of the post-processing, as well as handling ageing of the PN junction.
Rather than just biasing using a fixed voltage I added a low pass filter, tuned to 10Hz. The output of that filter is used for biasing, and automatically gives you 50% of the waveform above and below the bias point. I then use another amplification stage to give a nice digital output that avoids the need for an ADC.
To sample I used a timer to clock the SPI peripheral. I was thinking of using a free-running oscillator as the clock to increase randomness, but it proved unnecessary.
The data needs some post-processing and I found that using the microcontroller’s CRC unit is effective. I use a 32 bit CRC. 8 samples are XORed with 8 bits from the CRC and then fed into it, and the result is a different 8 bits from the new CRC value.
That passes DieHard, DieHarder and every other test I could find at the time.
I also found that the LSB of the on-board temperature sensor was an excellent source of entropy too, but an order of magnitude slower.
Thank you for once again sharing for free detailed, precise information that would otherwise cost an enormous amount (time, energy, money) to source otherwise.
STM32F4, F7, Atmel S70 and others have analog based TRNG peripherals. Are those not useful for crypto? Why use an external circuit like this?