Newsgroups: sci.crypt

Subject: Re: generating one-time pads
Message-ID: <>
Date: Sat, 20 Jun 92 19:56:52 PDT
Organization: The Portal System (TM)
References:  <>
+           <>
Lines: 51

In 6/20/92 01:26 47/2081 (Nico E. de Vries) writes:

> In <> writes:
>>3.  I designed and developed in Cryptosystems Journal a hardware random
>>    number generator based on 16 crystal oscillators (typically each
>>    oscillating at 20 MHz - 30 Mhz (for an aggregate frequency of 320 Mhz -
>>    480 MHz).  Specifically, I published Printed Circuit Board (PCB) artwork.
>>    The parts cost less than $40 (if you know where to get parts cheap and
>>    etch the board and build it yourself).  Most importantly, I tested over
>>    2 Billion bits using 18 statistical tests from Knuth.  The empirical
>>    results are almost exactly as expected.
>Why 16 crystals? 2 crystals should be enough. An IBM-PC has 2 and those
>are the ones I use in my source.

In response to Nico's question:

My testing shows that my hardware-generated random bits don't get *really*
good unless you use 11 (or more) oscillators.  I should also say that
each four crystal oscillators is latched into a 74LS175 Quad D Flip-Flop
and that these bits are XOR'd by a 74LS86.  I believe that the reason that
multiple crystal oscillators are needed is because the crystal oscillators
do *not* have 50/50 waveform symmetry, but typically 60/40 waveform symmetry.
Indeed, my testing shows that a figure of merit I calculate improves
40% for each additional oscillator added (up to 11, whereupon it does not
show further improvement).  Therefore, I would be cautious of using only
two crystal oscillators, unless you have statistically tested at least a few
hundred million bits that you've generated.

AT&T's T7001 Random Number Generator Chip *does* use *two* oscillators
operating typically at 8 MHz and 1 KHz (which I assume limits the chip
to outputing no more than 1000 random bits per second).  My caution above
was directed at using off-the-shelf crystal oscillators (as would be found
in a PC), not directed at the design of this more complex and custom IC.

I feel that the generation of random bits is an all-too-often over-looked
aspect of implementing secure cryptosystems.  If we assume (as is usually
the case) that the security must rely solely on the keys, then the keys
had better be *really* random.  For small keys (like DES), you could
flip a coin if you wanted to, but when you are talking about a thousand
bits or a million bits or 50 million bits, I sure think that inexpensive
hardware is the way to go.

          Tony Patti
          Editor & Publisher
          Cryptosystems Journal
          P.O. Box 188
          Newtown, PA  18940-0188
          Phone: 215-579-9888