Cryptography Reference
In-Depth Information
HARDWARE-BASED NON-DETERMINISTIC GENERATORS
Hardware-based
non-deterministic generators rely on the randomness of physical
phenomena. Generators of this type require specialist hardware. Generally
speaking, these are the best sources of 'true' randomness. Examples include:
• measurement of the time intervals involved in radioactive decay of a nuclear
atom;
• semiconductor thermal (Johnson) noise, which is generated by the thermal
motion of electrons;
• instability measurements of free running oscillators;
• white noise emitted by electrical appliances;
• quantummeasurements of single photons reflected into a mirror.
Hardware-based generators provide a continuous supply of randomly gener-
ated output for as long as the power required to run the generator lasts,
or until the process ceases to produce output. However, because specialist
hardware is required, these types of generator are relatively expensive. In some
cases the randomly generated output is produced too slowly to be of much
practical use.
SOFTWARE-BASED NON-DETERMINISTIC GENERATORS
Software-based
non-deterministic generators rely on the randomness of physical
phenomena detectable by the hardware contained in a computing device.
Examples include:
• capture of keystroke timing;
• outputs from a system clock;
• hard-drive seek times;
• capturing times between interrupts (such as mouse clicks);
• mouse movements;
• computations based on network statistics.
These sources of randomness are cheaper, faster and easier to implement than
hardware-based techniques. But they are also of lower quality and easier for an
attacker to access or compromise. When using software-based techniques it may
be advisable to combine a number of different software-based non-deterministic
generators.
NON-DETERMINISTIC GENERATORS IN PRACTICE
Non-deterministic generators work by measuring the physical phenomena and
then converting the measurements into a string of bits. In some cases the initial
binary string that is generated may need some further processing. For example, if
the source was based on mouse clicks then periods of user inactivity may have to
be discarded.
