OneRNG – Open Hardware Random Number Generator

Note: I&#x27;m Paul the designer<p>Some background - this board is in late beta testing, we&#x27;re going to kickstart it and release it (with papers scheduled at a couple of conferences) - it&#x27;s hitting Hacker News a little early - but keep us in mind when we do finally release to the public - at the moment we haven&#x27;t published the design - we&#x27;ll be putting up both the firmware an hardware designs on GitHub when we think it&#x27;s ready for the public (almost there)<p>If you want some idea of the code and development system it&#x27;s largely based on the dev system for out IoT project:<p><a href="http:&#x2F;&#x2F;www.moonbaseotago.com&#x2F;cheaprf&#x2F;" rel="nofollow">http:&#x2F;&#x2F;www.moonbaseotago.com&#x2F;cheaprf&#x2F;</a><p>Meanwhile I&#x27;m happy to answer questions

Well, I&#x27;m happy to see that for once, they understand that the single most important thing is that it&#x27;s <i>verifiable</i>.<p>So many crypto-related systems ask you to trust the provider implicitly it&#x27;s not even funny.<p>I don&#x27;t care who you are, if I can&#x27;t look at the source (all the way down) of your product and build it myself, it&#x27;s not going to make the cut as a &quot;secure&quot; system. You can provide <i>additional</i> guarantees and proofs, but showing me the source is item number 0.<p>Sure, it&#x27;s not perfect, but it&#x27;s much closer to perfect than any alternatives.

A question for the designers (Paul?) about verifiability. In the software world you can effectively choose from 2 levels of review. You can (1) review the source code of a project and convince yourself it&#x27;s fine. Or (2) you can assume&#x2F;hope that experts have done that, download the software, and just verify you have an identical copy of what everyone else is reviewing. (Ideally using signatures of the authors and reviewers.)<p>Almost everyone who cares does step 2, assuming they do anything at all. Very few people are qualified or bother to review source code, but everyone who performs step 2 can feel pretty safe, as long as a release is big enough that it&#x27;s getting reviewed by experts.<p>So, what&#x27;s the hardware equivalent? If I&#x27;m not capable of reviewing the schema of this hardware, but someone I trust says &quot;this is great&quot;, how do I at least know the one I bought is identical to the one she&#x2F;he bought (or built) and reviewed? How do I verify the components? This seems like a difficult problem.

If the avalanche diode is the main&#x2F;primary source of entropy why do we need the CC2531? The super paranoid part of me is worried about the 802.15.4 radio being used as a vector to taint the RNG.<p>Shouldn&#x27;t an HW RNG NOT have any secondary communication method built in?<p>I am guessing you guys added that because that&#x27;s the platform you&#x27;re working with for your IOT project, but it just seems a little overkill to me. The diode data acquisition and the USB comms could be easily done using any Cortex-M0 type micro.

This seems sound. However, I&#x27;m in doubt about some of their points:<p>&gt; <i>You can ask it to dump the current firmware to you</i><p>It can dump the firmware but it can still execute something else than this (or in addition to) this firmware, can&#x27;t it?<p>&gt; <i>You can see all the components on the board</i><p>The fact that I can see these tiny thingies doesn&#x27;t do much good either? Can I, seeing them, tell what they do? No.<p>Building one of these yourself seems to solve both problems. Not trying to undermine it or anything, just curious what others think of it.

A good CS-PRNG can take a modest amount of entropy and store it in a way (internal state) that you trust it can&#x27;t be recovered by the attacker. From this they can generate a nearly endless supply of random output. That, as I understand it, is &#x2F;dev&#x2F;random vs. &#x2F;dev&#x2F;urandom&#x2F;.<p>So it&#x27;s nice to have a good reliable source of <i>entropy</i>, but you can also consider how protected is the internal state, aka the place you stick that entropy? The better protected the CS-PRNG state, the less entropy you actually need.<p>If you trust the CS-PRNG state, then hardware entropy sources won&#x27;t matter much to you, because you just don&#x27;t need that much entropy. When you start streaming entropy from many sources, it&#x27;s probably to consistently update internal state over time because you don&#x27;t fully trust that the state is secure.<p>It should make no difference either way in the quality of the output (directly pulling entropy versus CS-PRNG output). Because the necessary amount of output to reverse-engineer state is almost infinite, the output of a properly implemented CS-PRNG is highly trusted. And they&#x27;re really nice algorithms that have well reviewed implementations.

Suggestion for modification: Call it OpenRNG instead of OneRNG. In every second sentence i read the word open. Its obviously a main purpose.

If this gadget sells for under $50 (which it certainly should) I might consider buying one, just for the fun of it.<p>But I haven&#x27;t seen anyone here mention ID Quantique, one of the companies that the &quot;big boys&quot; use for random numbers. They&#x27;re in Switzerland: <a href="http://idquantique.com/" rel="nofollow">http:&#x2F;&#x2F;idquantique.com&#x2F;</a><p>Admittedly not open hardware, but FWIW they claim:<p><pre><code> QUANTIS has been evaluated and certified by the Swiss Federal Office of Metrology (also known as METAS), the Swiss national organization in charge of measurement science, testing and compliance. It confirmed that the quality of its random output complies with the highest requirements. </code></pre> The minor detail about buying from ID Quantique is that their cheapest USB product sells for about 990 euros, or about $1250.[1]<p>I know it&#x27;s apples and oranges, but anyone interested in this product should at least be aware of some alternatives.<p>[1] <a href="http://idquantique.com/component/content/article.html?id=83" rel="nofollow">http:&#x2F;&#x2F;idquantique.com&#x2F;component&#x2F;content&#x2F;article.html?id=83</a>

How does it compare to the NeuG? Which entropy source is better? <a href="http:&#x2F;&#x2F;www.gniibe.org&#x2F;memo&#x2F;development&#x2F;gnuk&#x2F;rng&#x2F;neug.html" rel="nofollow">http:&#x2F;&#x2F;www.gniibe.org&#x2F;memo&#x2F;development&#x2F;gnuk&#x2F;rng&#x2F;neug.html</a>

I&#x27;m curious why they chose to use an avalanche diode which doesn&#x27;t generate quantum-random numbers, unlike a reverse-biased transistor.<p>As far as I&#x27;m aware, this means you could effect the numbers, by varying temperature.

Back about 25 years ago I wanted to build a PC card to generate better random numbers. The idea I had at the time was to build in a set of four or five FM&#x2F;AM radio receivers into this card and have them hop ratio stations constantly at, well, random intervals. Then I&#x27;d use the digitized audio signals in some combination to feed a random number generator. I thought it was a good idea at the time. Well, I didn&#x27;t have enough experience yet to know just how much I didn&#x27;t know. Never built it.

&gt; It even has a “tinfoil hat” to prevent RF interference<p>Isn&#x27;t this a problem in the US, being against the famous part 15 of the FCC rules:<p>«Operation is subject to the following two conditions: (1) this device may not cause harmful interference, and (2) this device must accept any interference received, including interference that may cause undesired operation.»

That&#x27;s awfully complicated for a hardware RNG. A channel-hopping receiver? The classic solution is a radiation source, which quantum mechanics says is random.<p><a href="http:&#x2F;&#x2F;www.fourmilab.ch&#x2F;hotbits&#x2F;hardware3.html" rel="nofollow">http:&#x2F;&#x2F;www.fourmilab.ch&#x2F;hotbits&#x2F;hardware3.html</a>

On a related note, is there any device out there that lets you create a private key and &quot;burn&quot; it to that device in a way that the key cannot be taken off the device and you instead use the device the same way you use SSH_AUTH_SOCK?<p>Ultimately, it would be nice to have a way where private keys can not be copied.

Total layman question here, but how does an avalanche diode work?

Or you could just use a shitty cheap webcam and take the lower bits of each pixel (or one pixel of each 8x8 block if the compression is bad).<p>The amount of randomness per second webcams generate is pretty insane, it&#x27;s more than enough to feed the seed of a crypto PRNG function like Fortuna.