Infinite Noise TRNG

$11,155 raised

of $200 goal

Funded! Order Now

Apr 27

funded on

5,577%

funded

226

pledges

Product Choices

$35

Infinite Noise TRNG

Get one Infinite Noise TRNG with the transparent enclosure.


$65

Double Noise

Receive two Infinite Noise TRNG made by "the machine", with cases.


$95

Triple Noise

Receive three Infinite Noise TRNG made by "the machine", with cases.

Details

Open hardware USB true random number generator

As Featured In

seguridadprofesionalhoy

"Útil para tareas de seguridad relacionadas con la generación de claves de acceso, el Infnite Noise TRNG (True Random Number Generator) de Manuel Domke es un dispositivo de hardware abierto (open hardware) que permite generar números aleatorios."

Electronics-Lab

"The Infinite Noise TRNG is an affordable and secure true random number generator..."

Hackster.io

"While it is possible to generate random numbers on something like the Arduino, it takes some effort, and a source of random chaos such as thermal noise. Which is why the Infinite Noise TRNG... could well prove rather useful."

Medium

"The strength of these systems springs from the transparency of their design: You can inspect the circuit yourself, and you can build it at home using off-the-shelf components."


The Infinite Noise TRNG is an affordable and secure true random number generator (TRNG). It’s based on a modular entropy multiplier technique that continuously loops over previous random output, gathering randomness from the noise of the hardware components along the way, to generate the next random output. This way it produces a constant, measurable level of entropy which is then whitened to produce true random numbers. The openness of the implementation makes it easy to inspect and verify, as all security hardware should be!

Who Needs It and Why?

Almost any cryptographic operation relies on random numbers - and there are many different approaches to collect this entropy. For Linux systems, this is mostly done with user input and other hardware timing’s “randomness”. This approach is very slow and its performance mainly depends on the computer’s activity.

For situations where the Linux Random Pool /dev/random depletes and finally blocks, hardware random number generators like the Infinite Noise TRNG provide a secure, high performance way to feed entropy into your computer.

  • When you operate many virtual machines, lack of entropy can be a serious problem as all VMs share the host’s entropy source. The Infinite Noise will provide lots of random numbers to the host system.
  • Large web-servers doing SSL encryption can be sped up by using hardware random number generators, while making communications more secure.
  • If you operate Linux-based WiFi access points (whether using a PC, laptop, or custom hardware), they can benefit from plentiful available entropy, as WPA2 authentication relies on it.

The next big thing about random number generators is security. When you take a close look at the last 20 years of information technology, there have been dozens of security incidents with flaws in random number generators.

  • 1994: First Netscape SSL implementations using a predictable seed.
  • 2007: Reverse engineering showed that the Windows 2000/XP random number generator had a bug that makes it vulnerable. It’s been there for years.
  • 2008: Members of the CCC developed an attack overcoming a poor RNG used in MIFARE Crypto-1, which is still used in some RFID tags.
  • 2008: The random number generator used in OpenSSL had a critical bug - possibly affecting the security of all keys generated before 2008.
  • 2013: Snowden documents unveiled that the Dual_EC_DRBG algorithm has been backdoored by the NSA. Even worse - it has been recommended by the NIST and actually adopted by manufacturers (like BlackBerry)
  • 2016: The Linux driver for a very common wireless card (ath9k) appears to have a HWRNG which was not designed to be used as security device. Its just an ADC - and nobody knows where the data comes from. But one thing is for sure: It’s not very random and dominated the Linux entropy pool - which is really bad. Thats why kernel developers decided to disable it by default - but the change did not arrive in all distros yet.

In all these scenarios, the Infinite Noise TRNG helps you to generate random numbers with confidence. A good entropy source can’t help you with everything - but it’s fundamental for all secure applications.

Use Cases

The Infinite Noise TRNG is useful in any situation requiring more entropy than normally available on a typical personal computer. The Infinite Noise TRNG is a good choice if you are:

  • Building your own certificate authority
  • Administering wireless access points with WPA2
  • Running a high-traffic server with SSL enabled
  • Having fun with one-time pads
  • Replacing /dev/urandom with a more secure and faster /dev/random
  • In need of a strong password

How it works

The hardware derives entropy from thermal noise, like many random number generators. What divides it from other TRNGs is the modular entropy multiplication technique.

Thermal noise of resistors is being amplified in an infinite loop to generate data – which is not totally random yet. By using modular entropy multiplication there is some correlation of adjacent bits in the stream.

Health monitoring of important parameters of the raw datastream is implemented in the devices driver, which then uses the SHA-3 hashing function for cryptographic whitening to produce true random numbers.

There is no way to override the signal without being noticed by the driver. Of course it’s possible to influence it a bit, but because we use modular entropy multiplication, this only makes the output slightly more random.

Since by definition there are no patterns in random data, how can you know the data coming from your entropy source was not spoofed? The Infinite Noise TRNG produces this predictable level of entropy, just because it’s the only way to constantly verify the hardware is working properly. And only then will it apply whitening with the SHA3 hashing function.

It may sound daunting, but this is the key feature of this implementation, as the foreseeable (and very high) level of entropy enables the driver to monitor proper function of the device. This is an essential feature for any trustworthy random number generator, which most devices unfortunately are missing. Even when you can access the raw output - during operation you often don’t find a way to monitor its operation.

Hardware

The circuit implementinh modular entropy multiplication consists of a pair of a charge capacitors (C8, C9), opamps, comparators COMP1 andCOMP2, solid state switches SW1 and SW2. The driver controls these switches to run two modular entropy multipliers in parallel.

In the first half of a cycle, we need to determine if the current voltage stored in the capacitor is lower than Vref (2.5V). If thats the case, the whole charge is being multiplied by 1.84. When it is higher, we first need to subtract Vref from it – to prevent overshooting.

This logic can be solved very efficiently using the modulo operation.

In the signal loop, additional noise is collected from components along the way, which forms our random output.

Data is being sampled by readings from the two comparator outputs (tied to the capacitors) resulting in a digital stream that is returned via USB.

digital, analog and clock signal of a single entropy multiplier

Channel# Connected to Signal Multiplier#
1 COMP1 Digital 1
3 C8 Analog 1
4 SWEN1 Clock signal 1

For more insights into modular entropy multiplication check some of the first project updates:

Software

Health monitor

Using modular entropy multiplication a very simple but reliable entropy source like thermal noise can be used to produce a raw stream of 300.000 bit/s with a provable level of entropy of 0,86 bit per bit.

raw device output, revealing the pattern of modular entropy multiplication

Any deviations from this expected level of entropy by more than 3% are treated as “NOT OK” and the data will be discarded, so we can always be sure data seeded into the SHA3 function already was pretty random and was coming from the Infinite Noise.

Using the debug mode you can get an insight:

$ infnoise --debug --no-output 
Generated 1048576 bits.  OK to use data.  Estimated entropy per bit: 0.874112, estimated K: 1.832880
num1s:50.538887%, even misfires:0.100875%, odd misfires:0.191457%

Additionally there are some other basic sanity checks, like looking for more than 20 consecutive 1’s or 0’s.

Whitening

Data passing the health monitor will be seeded into an SHA3 hashing function (aka. Keccak-1600 sponge) to create true random numbers for your applications.

The driver allows application of a multiplier, which defines how many bits will be put out of the hashing function for each incoming bit of entropy. This enables you to generate over 50 megabyte/s of pure random numbers without measurable degradation of entropy.

whitened output, with multipliers of 10 to 10000

The fact that you can actually apply multipliers in range of 10000+ shows how conservative the driver is with the health monitoring - and how well SHA-3 works.

Software

Signed packages for several Linux distributions are available as releases and on my website. For Debian based distros there is also an apt repository.

The driver is the most critical part of this, so make sure you verify the signatures against my PGP Key: 71AE 099B 262D C0B4 93E6 EE71 975D C25C 4E73 0A3C/0x975DC25C4E730A3C. This key is used only for code signing, so please don’t use it for contacting me.

The packages come with a unix service and udev rules to start the driver when the device is plugged in. As default application, the random numbers are passed to the linux kernels entropy pool with no multiplier. There is also a config file under /etc/infnoise.conf to permanently enable options like debug mode or multipliers.

You can always stop or disable the service when you want to access the device directly.

As it’s fully open-source, you can also compile it yourself - but you’ll need to install the service files and udev rule manually.

Anyway, you can check the Github revision from which the software has been compiled by using –version.

$ infnoise --version
GIT VERSION - 0.2.3
GIT COMMIT  - ad40d816ed1e2e09c6f905ce34a01287885bfa47
GIT DATE    - 2018-03-02T21:59:58+01:00
BUILD DATE  - 2018-03-02T22:07:22+01:00

In the additional package infnoise-tools, you will find some tools to process random data - for generating passwords or to analyze samples.

$ infnoise-passgen random.out 10
password:suyxi{ez{
This password has 50.00 bits of entropy

During the campaign I’ll work on the tools and driver, so make sure to sign up for updates or tell me your ideas for improvements. Please open issues on Github for feature requests.

how it started

The Infinite Noise TRNG is based on a semiconductor design originally developed by Peter Allan in 1999. The design being produced through this campaign was created by Bill Cox (a.k.a., waywardgeek) and implements it with stock-components and a simple USB interface. The design was not modified by me – I just found the GitHub project and wanted to have one. I’m in touch with Bill Cox and he’s happy to support this effort.

Above was only a short summary of the basic operation principle of modular entropy multiplication. If you want to dive into all the details, please check Bill’s GitHub repository or my fork which is usually some commits ahead.

There is also a recent version from Peter Allen called the Redoubler, but I prefer Bills design as it has no firmware at all.

Device without enclosure

Features & Specifications

  • Random output: Default 30 KB/second of random data
  • Interface: USB2.0
  • Supported platforms: (Windows, Linux, and also ARM-support)
  • Low Power: 8 mA
  • Weight: 10 g
  • Dimensions: 15 mm x 50 mm x 8 mm
  • No firmware
  • Uses off-the-shelf components
  • SHA3-“Whitening” and health monitor built into host drivers
  • Fully open source (see GitHub repo) and OSHWA-certified (#DE000006)

Comparisons

As mentioned above, the key benefit of this architecture is the continuosly verified level of entropy coming from the hardware number generator which is whitened with SHA-3 in the fully open-source driver, so it will never give out a sequence that is not totally random.

In case of an attacker trying to inject a signal, modular entropy multiplication will profit from the signal, resulting in an unsuccessful attack. Only if the injected signal is extremely strong can an attack partially succeed - as the driver will discard the data, resulting in no output at all.

open hardware open software operating principle live health monitor requires firmware output rate pocket-friendly price
Infinite Noise TRNG Yes Yes modular entropy multiplication Yes no >300kbit/s - 500 Mbit/s* Yes 35 $
OneRNG Yes Yes RF & avalanche noise No Yes 350 Kbit/s No 40$
ChaosKey Yes Yes reverse biased p-n junction No Yes 10 Mbit/s Yes 40$
BitBabbler No Yes mix of 4 sources Yes unknown 0.7-1.5 Mbit/s No 40-150$
EntropyKey No No avalanche noise Yes yes 10 Mbit/s No 50$
Linux CSPRNG N/A Yes user-input & timing No N/A only very few bit/s No free

*needs lot of cpu

Manufacturing Plan

You can change how this campaign will be shaped by choosing your pledge by selecting the manual or machine-assembled version.

If you want your Infinite Noise TRNG asap, you should take the manually assembled version which ships out as soon as they’re done. The first 25 units are already built, just waiting for you.

When you’re looking for an even higher quality device, it’s worth waiting for the automatically assembled version, which will be shipped start of June 2018.

Manual assembly

The devices will be assembled using the production line shown below.

Step 1: Solder Stencil, Step 2: Pick and Place, Step 3. Bake it!

The manual pick-and-place process is the most critical part during this process - and takes an hour for a panel of 10 devices.

manufacturing steps

As you see, the manually placed PCB’s are of very good quality - mostly due to the self-alignment properties of surface-mount components. If you watch the animation very carefully, you may notice a capacitor flipping off. This happens sometimes and requires more manual rework afterwards.

Automated assembly

The pain of manual assembly is the reason I want to spend the outcome of this campaign for an automatic pick-and-place machine. The decision for a specific machine was not yet taken - for reasons.

When we reach the amazing goal of $15,000 USD, the “Late Noise” devices will be built using a VisionBot - an automated pick and place machine created by a Romanian Maker.

For lower funds, I’ll probably get a LitePlacer, which is an open-source DIY pick-and-place machine from Finland. At least it could place all the resistors and capacitors. I’m not sure if it’s precise enough for all the chips - but it seems worth trying it out.

If not enough is raised for one of these, I’ll continue building my own machine. The most expensive things for this will be a some good linear rails and the pick-and-place head assembly. I already have the electronics (based on OpenPNP) and some more stuff from previous upgrade-attempts with the manual pnp-machine, but the DIY rails, unsurpisingly, are very imprecise.

Stretch Goals

Custom Security Seals (5K)

When the campaign surpasses the $5000 goal, every device (with enclosure) will be sealed with security seals with its serial number imprinted on them, thus making the device tamper-evident in terms of FIPS. In my opinion, it’s already pretty evident without them, as you can see in this image of one of my prototypes which needed a repair once.

In any case, by using modular entropy multiplication, the Infinite Noise TRNG is very robust against hardware attacks, as the driver will detect changes in the behaviour of the device.

Thus, the best way to verify its correct operation is to use our signed driver packages - or compile it yourself after you’ve checked the code integrity - and use the --debug parameter to take a look at the raw data. Or just run the testsuite available on GitHub (manual interpretation required!).

Windows / Mac Driver Development (10K)

Buying an (almost) ready-to-use pick and place machine frees up some of my time for development of better Windows and/or Mac support. The current Windows implementation allows raw and whitened output to files only. No pipes, no Crypto-API so far.

Parts List

Digi-Key Part # Manufacturer Part # Reference Quantity Description
MC74VHC1G66DFT1GOSCT-ND MC74VHC1G66DFT1G SW1,SW2 2 IC SWITCH SPST SC88A
497-12414-1-ND TSV912IQ2T AMP 1 IC OPAMP GP 8MHZ RRO 8DFN
TC75W57FKTE85LFCT-ND TC75W57FKTE85LF CMP 1 IC COMP DUAL GP PP CMOS US8
768-1126-1-ND FT240XQ-R USB 1 IC USB FS PARALLEL FIFO 24QFN
490-7213-1-ND GRM188R71H103KA01J C1,C7 2 CAP CER 10000PF 50V X7R 0603
490-3302-1-ND GRM188F51A475ZE20D C2 1 CAP CER 4.7UF 10V Y5V 0603
490-1524-1-ND GRM188R71E104KA01D C3,C6 2 CAP CER 0.1UF 25V X7R 0603
445-1277-1-ND C1608C0G1H470J080AA C4,C5 2 CAP CER 47PF 50V C0G 0603
1276-6536-1-ND CL10B221KB8WPNC C8,C9 2 CAP CER 220PF 50V X7R 0603
541-27.0HCT-ND CRCW060327R0FKEA R1,R2 2 RES SMD 27 OHM 1% 1/10W 0603
541-10.0KHCT-ND CRCW060310K0FKEA R3,R4,R5,R8,R9 5 RES SMD 10K OHM 1% 1/10W 0603
541-8.20KHCT-ND CRCW06038K20FKEA R6,R7 2 RES SMD 8.2K OHM 1% 1/10W 0603
490-9702-1-ND BLM18TG601TN1D L1 1 FERRITE BEAD 600 OHM 0603 1LN
1175-1008-ND CNC 1001-011-01101 X1 1 CONN USB A TYPE ULTRA FLAT SMD

Want to order these components? Click to start a Digi-Key cart with quantities for one unit.

Digi-Key

Shipping & Fulfillment

The early batch will ship from Germany, as soon as the devices are produced. I will produce daily batches of ten devices, so the maximum of 225 units will be shipped within four weeks after the campaign ended.

If funds are raised fast enough, production will start while the campaign is still active, so tell your friends about it!

Week Action
17/2018 funded
order parts, pick-n-place machine and enclosures
ship orders 1-25 early bird editions
18/2018 arrival of parts from Digi-Key
ship early bird orders 26-50
19/2018 ship early bird orders 51-100
20/2018 ship early bird orders 101-150
setup pick-n-place machine
21/2018 ship early bird orders 151-225
estimated arrival of more enclosures
22/2018 start automated assembly (hopefully > 100/week)
ship a first batch to Crowd Supply warehouse (for US-orders)

The “late noise” version will be shipped from start of June 2018 using Crowd Supply’s fullfilment service - shipping from Portland - Oregon.

For more information, see Crowd Supply’s information about ordering, paying, and shipping.

Risks & Challenges

To ensure all delivered devices are just perfect, I have implemented a 12h test for every single device, verifying the level of entropy is in the expected range.

Building my own pick-and-place machine is not easy and still pretty expensive. I can’t promise to get this done in time, but I will do my very best. Sign up for updates!

Test reports

Besides the 12 hour test for every single device, there is a testsuite for extended verification of the design of this TRNG. It especially covers the different multipliers for the driver - revealing the full power of this design.

Multiplier Mode Speed Entropy per Byte Failed FIPS blocks CPU load*
0 RAW 30 KiB/s 7.293417 100 % 15 %
0 SHA-3 42.5 KiB/s 7.999999 0.07 % 18 %
0 /dev/random 0.3 KiB/s 7.999999 0.081 % 18 %
1 SHA-3 25 KiB/s 7.999999 0.078 % 19 %
1 /dev/random 14 KiB/s 7.999999 0.073 % 18 %
100 SHA-3 2,25 MiB/s 7.999999 0.087 % 23 %
100 /dev/random 21 KiB/s 7.999999 0.095 % 25 %
10000 SHA-3 77 MiB/s 7.999999 0.074 % 72 %
10000 /dev/random 4.21 KiB/s 7.999999 0.086 % 85 %

*at full output rate with a Intel i7-4558U CPU @ 2.80GHz.

Each row in this table is based on a testrun generating 250 Megabytes of random data.

For more details, dieharder and rngtest check the links below.

Ask a Question

Have a question not answered in the description above or in the Updates?

Ask 13-37.org Electronics a Question or Browse the Crowd Supply Guide

Credits

13-37.org Electronics

Our mission is to make open source hardware available for the German and European market and beyond.


Manuel Domke

Subscribe to the Crowd Supply newsletter, highlighting the latest creators and projects: