Ultra-low-cost True Randomness 201
Cryptocrat writes "Today I blogged about a new method for secure random sequence generation that is based on physical properties of hardware, but requires only hardware found on most computer systems: from standard PCs to RFID tags." Basically he's powercycling memory and looking at the default state of the bits, which surprisingly (to me anyway) is able to both to fingerprint systems, as well as generate a true random number. There also is a PDF Paper on the subject if you're interested in the concept.
Re:A Slightly More Expensive Method (Score:3, Insightful)
I don't expect this to be statistically random: they claim it's based on thermal noise. But the startup temperature of a computer does not have that much entropy, so the thermal noise isn't reliable. Just because something's garbage doesn't mean it's statistically random.
The quality of randomness.... (Score:2, Insightful)
Re:A Slightly More Expensive Method (Score:2, Insightful)
123456789123456789123456789123456789123456789
That's how to test uniformity, but not randomness.
Re:A Slightly More Expensive Method (Score:3, Insightful)
12345678901234567890
See? The distribution of digits doesn't tell you a whole lot about the randomness of a stream.
A nice way to define randomness is using Kolmogorov Complexity. A random number then is a number that cannot be represented by a program (in some code language) that is shorter than the random number itself. In other words: if the smallest program that outputs number X is the program "print X" then X is considered a random number.
Re:Random karma whore (Score:3, Insightful)
Re:This is hardly random (Score:4, Insightful)
As for it being a good RNG; the state of RAM on power-up is probably a lousy "random number generator", but the statistics in the paper suggest it is a fairly good "source of randomness". There's a big difference between bias and unpredictability (think about dice with '1' on five of the sides and '0' on the remaining side). You wouldn't want to use the state without putting it through a compression function first, but it's a much better seed than using clock() [berkeley.edu]!
Re:HotBits (Score:2, Insightful)
They vary in quality, but it really doesn't matter. With the proper post-processing, they all provide true randomness that is basically as good as randomness is possible to be.
Radioactive decay tends to be the most expensive and the least practical. Shot noise in a reverse-biased zener diode is generally the cheapest if you're going to build hardware to produce it. In a traditional computer such as the one on your desk, there are often several usable sources of true randomness.
Thermal noise in the lowest bits of your sound card work fairly well. You simple digitize the unconnected audio input.
Another good source is microscopic zone temperature variations in two independent crystal oscillators. You can usually find this by grabbing the TSC (instruction cycle counter) when a packet is received. Your network card has a crystal oscillator that is independent of the oscillator that generates your processor's core clock. (Obviously, only the lowest bits are useful.)
Metastable flip-flops more appropriate? (Score:2, Insightful)