Entropy-producing components (advanced)¶

Entropy refers to the degree of unpredictability, or randomness, in a system. The nature, importance, and generation of random numbers have been discussed in connection with both cryptographic implementations and key management (the latter also describes the related PUF device). Randomness is also needed outside cryptography, for example in games, lottery applications, and stochastic simulations. The requirements are not as strict as in cryptography, but unpredictability is certainly important in lotteries and some games as well. In the field of information security, randomness is also used to conceal implemented countermeasures from attackers. The mitigation of side channels discussed in the previous section may also make use of randomness.

There are two types of random numbers: pseudo and true. Naturally, neither property applies to a single number but to the method by which it is produced. The terms used are PRNG and TRNG, where P = pseudo, T = true, and RNG = random number generator. The N is often replaced by B = bit. Randomness means that all possible values are equally likely and that each generated value is independent of preceding and subsequent values.

The design, properties, and testing of RNG implementations are described in the standards NIST 800-90A (PRNG), NIST 800-90B (entropy sources), and NIST 800-90C (RNG constructions). The German BSI has published two important standards: AIS-20 for functionality classes and evaluation criteria for PRNGs, and AIS-31 for physical RNGs. Each standard includes a large number of tests aimed at identifying statistical weaknesses, that is, deviations from a uniform distribution.

PRNGs are deterministic algorithms, so it is important to always initialise them with a different seed value. This can also be produced by a TRNG, even if it would be too slow to produce the entire randomn sequence. At a minimum, the seed must be non-repeating, such as an incrementing counter value. This alone may suffice for cryptographic security if an attacker cannot derive past or future values even from several consecutively generated outputs.

The security provided by a PRNG depends on the cryptographic algorithm it uses. TRNGs, in contrast, provide full entropy inherently, regardless of advances in mathematics and cryptanalysis.

The core of a TRNG consists of an entropy source, that is, a physical phenomenon with truly random behaviour. In electronic circuits, entropy sources typically include thermal noise, jitter, and metastability. However, these sources are not perfect: the bits they produce may contain bias, correlation, or other deviations. Therefore, entropy extractors or conditioners are typically used in addition. Since these are deterministic processes, they cannot increase total entropy. Consequently, their output is always shorter than the input.

Due to variations in environmental conditions, such as temperature or voltage, the quality of a TRNG’s output may vary over time. Therefore, standards describe tests that should be applied at the start of the generation process and continuously during operation. Three main classes of tests can be distinguished. The first is a total failure test applied to the entropy source. The second category is online health tests that monitor the quality of entropy extractors. The third consists of tests applied to post-processed bits.

The challenges in designing a TRNG are, first, to provide clear and convincing evidence of the entropy source, and second, to design online tests that are both compact and capable of detecting a wide range of faults. Attacks against TRNGs, their countermeasures, and TRNG sensors are an active area of research, particularly in the context of IoT and embedded devices.