Score:4

Crypto

What are the state-of-the-art TRNGs today?

Vardhan Mahajan

8/5/24, 11:24 AM

How fast are the fastest ones? Which ones have the most entropy? Which ones are the most practical ones?

I tried looking for answers on Wikipedia and also, I tried reading papers, but I am couldn’t find answers to these questions. I was looking for a recent paper that would have compared all the TRNGs, but I couldn’t find one.

There is also an underlying assumption in the question: Is there a way we can rank order random number generators?

739

2 + 5

randomness

trng

poncho

8/5/24, 12:32 PM

One thing I never quite understood: why do we need ultra-high-speed TRNGs? In my mind, a more practical solution is to take a moderate speed TRNG, have it produce 256+ bits of entropy and use that to seed a CSRNG, and use that output (and if you need something faster than a single CSRNG, use several in parallel). After all, most of our uses of random bits is to seed some computational complexity object, and so introducing additional computation complexity assumptions with our CSRNG isn't really adding another security assumption.

Paul Uszak

8/5/24, 12:37 PM

@poncho Because a CSPRNG can't make a one time pad?

poncho

8/5/24, 12:59 PM

@PaulUszak: and how often do you make a one-time pad? How do you distribute it?

Paul Uszak

8/5/24, 2:04 PM

@poncho I know that you're pulling my chain ;-) But for other dear readers, they/I want the ability to create OTPs for any reason. So do all banks, militaries and governments. And the key distribution “problem” is clearly moot. It’s just fear, uncertainty and doubt spread by security agencies and their acolytes. 8K UHD movies are not a use case for OTPs. You distribute the key personally to the recipient, as has been done across the centuries (amateur) or buy/build a QKDN (professional).

Paul Uszak

8/5/24, 2:04 PM

Readers may want to see the highly upvoted [Are one time pads still used, perhaps for military or diplomatic purposes?](https://crypto.stackexchange.com/q/106796/23115) for modern usage.

Score:3

Crypto

fgrieu

8/5/24, 1:38 PM

How fast are the fastest TRNGs? Which ones have the most entropy?

This recent article claims 100 Gbit/s min-entropy, and gives reference to several >10 Gbit/s generators. These are lab experiments, where some quantum phenomenon is converted to digital with an Analog-to-Digital Converter. Much of the generator's entropy comes from the low-order bits of the ADC (it's acknowledged that an ADC with more bits increases the rate), thus I'm not so sure that most of the claimed entropy rate comes from the quantum phenomenon observed, rather than from (quantum) noise in the ADC.

It's dubious that such ultra-high speed is much useful in practical use cases, because a TRNG can be used to seed a Cryptographically Strong Pseudo-RNG, which can have high rate and (by definition) are indistinguishable from a TRNG. Even a 100 kbit/s rate (which would be easy with the practical constructs below) is fine to seed a CSPRNG with 256-bit state in under 3 ms, and very few applications need random numbers this soon after power-up.

Which ones are the most practical ones?

Common TRNGs in integrated circuits use ring oscillators, and/or noise generators compared to their mean, or combinations thereof. Their output is typically feeding a de-biasing circuit or/and a Pseudo-RNG.

The most practically important criteria for a TRNG in a crypto context is that it does not go, undetected, into a state such that it produces much less entropy than expected, by accident or because an adversary deliberately induced that (e.g. by spraying some liquefied gas on the gismo, connecting it to a power source with high ripple, putting it in latch-up with an ESD, or beaming some laser or powerful RF signal at it).

Typically, the hardest-to-get-right part is surveillance of the TRNG to detect that it fails, with two pitfalls to avoid: not detecting a failure, and false detection.

Is there a way we can rank random number generators ?

For cryptographic applications, the qualitative properties of TRNGs are ranked into functionality classes. The lowest, deprecated, basically is to pass statistical tests like NIST 800-22. Speed can also be a ranking criteria.

+ 1

Paul Uszak

8/5/24, 5:46 PM

From personal experience I find that simple circuits like Mata Hari (my answer) are not substantially affected by ripple. Mathematically H(ripple) ~ 0 like H(sine) = 0, so the entropy rides on top like a prickly sine wave. Practically, H(sine) ~ 1 bit/Sa due to non deterministic quantization error. So ripple just bolsters the entropy. And the digital parts (+capacitors) reject it.

Score:3

Crypto

Paul Uszak

8/5/24, 1:21 PM

How fast are the fastest ones?

Chaotic laser emission is pretty much fastest. That's shoving a laser beam up itself. This one allegedly can be run at 1.2 Tbit/s:-

That's a start for your further research.

Which ones have the most entropy?

If it's a proper TRNG, they'll all have a min entropy approaching 1 bit/bit and an autocorrelation approaching 0.

Which ones are the most practical ones?

Old Linux's /dev/random was very useful as it could generate 1000's bits/minute when you were typing or mousing the PC. Unfortunately that was sabotaged out of existence in recent kernel changes. Cui bono? You can create a hardwareless TRNG by leveraging the non deterministic behaviour of modern CPUs, but the entropy rate is unpredictable. Doable nevertheless.

So I would say this is (technically an entropy source):-

If you need a TRNG, then the impossibility of personal audit and computational indistinguishability mean that the only secure TRNG is one that you build yourself. Like above which runs on a 9V battery.

“Relying solely on the hardware random number generator which is using an implementation sealed inside a chip which is impossible to audit is a BAD idea.” - Theodore Ts’o (/dev/random Linux node creator).

Random numbers allow one to have a private conversation, but that comes at a price (about £1 of components, some nails and an Arduino). There's a fun implementation and yet serious analysis here.

Lastly, we could order them by weight or colour but I'm not sure of the benefits of that. But if you were to order them by security, then the one above wins hands down as you know exactly what it's doing.

+ 3

Maarten Bodewes

8/5/24, 1:57 PM

This answer seems to start off well, and then it degrades into attacking the Linux RNG without giving any reason. I'm also not sure how and why you think that human input is speedy and / or contains a lot of entropy. Not sure what I think of self build circuits. Maybe you can validate them but they can fail easily as well. You cannot fully test CPU's either, but I at least they should be deterministic and the *results* at a particular time can be validated.

b degnan

8/5/24, 2:06 PM

I always liked the the "mean time to collision" math of laser interference.... it's a photon until it's..not. so cool

Paul Uszak

8/5/24, 10:26 PM

@MaartenBodewes-onstrike Reason: Can I quote a senior contributor and now an (unbiased I’m sure) moderator “The `/dev/random`(sic) change, that was a _good_ thing. I supported it and even helped (to a limited extent) to get it through.” NSA mana, sabotage, or contractor objective? Cui bono? You’ve taken away the ability of the People to have easy privacy. Love to engage with you a bit more but at the moment the river’s flooding and we have to move the pigs.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: What are the state-of-the-art TRNGs today?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.