Score:3

DIY TRNG on an embedded system for Ethereum private key generation

cn flag

I'm trying to build this Ethereum hardware wallet on a custom designed embedded system and I'm no expert. Googling around I found this Robust, low-cost, auditable random number generation for embedded system security paper. As I read the proposal in this paper, it sounded quite safe; a real TRNG. Neverthless, as I struggled to simulate the circuit in any online circuit builder, I thought that maybe I didn't need that much of a complicated system. Maybe using some sensors (humidity, light, vibration, sound) I could gather external data, use it to seed a PRNG and it would be safe enough. But I'm no expert neither in cryptography nor in private key generation practices.

What do you think? Is it reasonably safe enough to use simple external sensors to gather entropy and seed a PRNG? Or should I build this TRNG no matter the struggle? What are the drawbacks of using one over the other? What are the benefits?

Diego Hernandez Herrera avatar
cn flag
@PaulUszak When I simulate your 9V circuit, how should I measure the "entropy" terminal? I tried using a voltmeter, but at least in the simulation, it didn't change.
Paul Uszak avatar
cn flag
Let the Gods be praised that they allow us to talk some electronics here. (Otherwise we can jump to the electronics forum if you like). Typical simulators do not have a Zener/Avalanche noise model. That's why nothing is changing. You have to inject external pseudo noise, usually via capacitive/resistive coupling. See https://electronics.stackexchange.com/q/55233/56469. Add say 100mVpp.
Paul Uszak avatar
cn flag
Any luck......?
Score:1
mu flag
Dan

Bottom line up-front: don't do it.

First of all, what threat modeling have you done? In other words, if someone physically has the wallet (device) and they crack it open, the source of entropy is attackable (as it is an external circuit fed into the microcontroller). And most of these circuits have issues such as:

  • easily influenced or attacked via physical / evironmental attack (temp, voltage glitch, EMI, etc.)

  • aging. Many of these circuits have issues where after even only months, the entropy can drop by an order of magnitude.

Futhermore, it looks like (from the PDF you cited), not including NRE costs, the cost per unit is like 1.44 US dollars or so? At that is QTY 10K. Atmel (now Microchip) makes RNG chips (others too) that are totally validated, they resist physical attack (mesh), and they are like $0.50 in QTY 1 (see ATSHA204 as just one example). I think the Atmel chip drops to ~30 cents US in QTY 10K.

If you want to play around with this kind of circuit on your lab bench and in LTSPICE, fine, but if you're looking to do this is in a security product, there are better paths to choose.

Note: an MCU w/ built-in HRNG/TRNG is even harder to attack, although power/temp/glitch etc is still possible. But the attacker would have to de-cap the chip to tamper with the interface from RNG to microntroller's CPU.

Paul Uszak avatar
cn flag
1) Do you have any examples of bullet point 2? Non of my nine+ entropy sources vary by more than a few percent due to temperature variation. And that's irrelevant if you measure Hmin properly.
Paul Uszak avatar
cn flag
2) How do you propose to validate Microchip's chips given computational indistinguishability? Take their (NSA's) word for it?
Paul Uszak avatar
cn flag
3) Given a coin price of £3,314.01, why are you focusing on $0.30 costs?
mu flag
Dan
@PaulUszak - wow, I seem to have really animated you. I appreciate your politeness (sincerely) about upvoting the question, I had only a couple minutes to reply and just forgot to upvote the question. i
mu flag
Dan
@PaulUszak Re 3) what does that have to do with the price of eggs in China? If a solution is 20% of the price and is also superior (that part is subjective, clearly we may not agree), it doesn't matter if you're protecting a ball of lint or a bitcoin, now does it? Not to mention the NRE. Sorry, I don't know if you design embedded electronics for a career.
mu flag
Dan
@PaulUszak: I don't propose that. Not sure there is a reading comprehension issue there. I never mentioned the NSA. Are you aware of any attacks on this chip that would be easier than the supplied circuit? Do you also design your own ALUs and CPUs? Or do you just take the NSA's word for it. Strange line of questioning.
mu flag
Dan
@PaulUszak re: bullet point #2 - fair question. I have seen this twice in my career with companies I've worked with (well, I've seen their data, I haven't verified it) and I believe I've seen this reported on an open source project, I will try to dig it up.
mu flag
Dan
@PaulUszak - just a couple citations, I don't think I'm finding the source I read a few years back... but : 1) (https://emergent.unpythonic.net/01257868826) "The digital noise is biased, but with no excess correlation (after a few years of aging, ~80% "1" bits, entropy upper-bound (shannon entropy) of about .74 bits per bit)" and 2) (https://betrusted.io/avalanche-noise.html) "Some avalanche generators are known to be vulnerable to aging".
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.