是有可能产生使用物理传感器随机数? [英] Is it possible to generate random numbers using physical sensors?
问题描述
我听说过利用光感应器,盖革计数器,以及其他物理传感器产生随机数的人,但我怀疑。是否真的有办法采取物理世界的测量(使用一个Arduino或其他单片机)生成随机数?如果是这样,将这些数字永远是真正随机的?
I've heard about people using light sensors, geiger counters, and other physical sensors to generate random numbers, but I'm skeptical. Is there really a way to generate random numbers from taking measurements of the physical world (using an Arduino or any other microcontroller)? If so, would these numbers ever be really random?
澄清:问题是关于使用微控制器收集的数据,以生成可以香甜应用于cryptography--替代依靠设备的熵随机数的可行性
to clarify: the question is about the feasibility of using microcontroller-gathered data to generate random numbers that could be applied soundly to cryptography-- an alternative to relying on a device's entropy.
推荐答案
以模拟真实世界的测量通常的熵(又名真随机数据)。模拟源总是有叠加可以收获一些未predictable噪音。然而,正如之前所述,测得的数据是很少的未失之偏颇。
Taking analog "real world" measurements usually is a good source of entropy (a.k.a. real random data). Analog sources always have some unpredictable noise superimposed which can be "harvested". However, as was stated before, the measured data is rarely un-biased.
模拟电测量也可能是无法控制的影响,或甚至外部攻击,例如或多或少易受通过使传感器(S)的饱和度。 EMI是也有可能与所述测量干扰;放在相当接近电路在通话过程中一个普通的手机将最有可能造成的对任何模拟信号的混乱。
Analog electrical measurements may also be more or less susceptible to uncontrollable influence or even attacks from outside, e.g. by causing saturation of the sensor(s). EMI is also likely to interfere with the measurement; a regular cell phone placed reasonably close to the circuit during a call will most likely wreak havoc on any analog signals.
取消偏置,高熵的均匀分布的数字是常用的那些人希望的,因为它们的属性的(未值的)是有些标准化,因此可以更可靠地predicted。
Un-biased, uniformly distributed numbers of high entropy are commonly those one wants, because their properties (not values) are somewhat normalized and can therefore be more reliably predicted.
当测量带,比方说,10位的分辨率的模拟输入,数字的理想的范围,从测量聚集将覆盖从0所有值1024,将与在相同的频率(或概率),为从任何其他值发生的每个值该范围。
When measuring analog input with, say, 10 bit resolution, ideally the range of numbers gathered from the measurement will cover all values from 0 to 1024 and each value will occur with the same frequency (or probability) as any other value from that range.
在现实中,这些值通常是(或多或少)正态分布(高斯分布)周围一些avarage值与某些特征的标准偏差,例如大约每个样品500 @ 10位
In reality, those values will often be (more or less) normally distributed (Gauss distributed) around some avarage value with some characteristic standard deviation, for example around 500 @ 10 bit per sample.
因此,为了产生具有所需性质(见上文)的随机值,一些去偏需要做:一个需要某种随机性提取。
So, in order to generate random values with the desired properties (see above), some de-biasing needs to be done: A randomness extractor of some kind is needed.
使用加密功能,像(单程)的散列函数或密码算法,通常容易产生所希望的结果为好;这是以尽管有代价的:在这些功能混合是由设计非常强,这使得它无法确定转换后的源数据的质量(=随机性)。甚至值的最简单的确定性序列,例如{1,2,3,4,5 ...},散列产生数据时将最有可能通过的任何和所有统计随机性测试pretty好,尽管它不是随机的。
Using cryptographic functions, like (one way) hash functions or cipher algorithms, usually easily produces the desired result as well; this comes at a cost though: The "mixing" of those functions is by design extremely strong, which makes it impossible to determine the quality (= randomness) of the source data after the transformation. Even the simplest deterministic sequences of values, like {1,2,3,4,5...}, when hashed produce data that will most likely pass any and all statistical randomness tests pretty well, although it is not "random" at all.
在微环境是很少想到的熵的良好来源是事件的时间的。使用高速定时器,真熵可以通过响应于某些异步事件读取计时器值来收集。这种情况下,这是不相关的运行的定时器可以是一个按钮由用户推,通信的另一个(子)系统或IC,或基本上不是由μC触发任何其他事件发起的开始(或任何同步子系统)本身。
In microcontroller environments a good source of entropy that is seldom thought of is the timing of events. Using a high-speed timer, true entropy can be gathered by reading the timer value in response to some asynchronous event. Such an event, which is uncorrelated with the running timer, may be the push of a button by a user, the start of communication initiated by another (sub-)system or IC, or basically any other event not triggered by the µC (or any synchronous subsystem) itself.
事实上,熵甚至可以从短短两年的独立的时钟源收获;例如通过经由其它时钟计时的一个时钟周期。这取决于μC的能力打开了几个爱特梅尔AVRμCs非常有趣的可能性(这是在Arduino的使用):
In fact, entropy can even be harvested from just two independent clock sources; for instance by timing cycles of one clock via the other clock. This opens a couple of very interesting possibilities on Atmel AVR µCs (which are used in the Arduino) depending on the µC's capabilities:
-
大多数AVR单片机有内部EEPROM存储器。写入该内存操作是通过一个专用的定时器,是独立于主系统时钟<罢工>的定时( - 据说有一些芯片(未种),其中的测量表明,这可能并非如此!) (编辑:请注意,在一些AVR单片机,ATTiny25 / 45/85为例,EEPROM定时从内部RC振荡器产生,这样就可以在该振荡器被选择作为系统时钟源收集没有熵)的;这可能取决于主时钟源(内部R / C与外部晶振/谐振器)上。因此,有一些(真正随机)抖动花费写入EEPROM相对于主系统时钟,这再次可以测量是一个高速定时器/计数器的时间可以预料的。
Most AVRs have internal EEPROM memory. Write operations to this memory are timed by a dedicated timer which is independent of the main system clock
(- reportedly there are some chips (not types!) where measurements indicated that this may not be the case)(edit: note that in some AVRs, ATTiny25/45/85 for example, the EEPROM timing is derived from the internal RC oscillator, so that no entropy can be gathered when this oscillator is also selected as the system clock source); this may depend on the main clock source (internal R/C vs. external crystal/resonator). Therefore, there is some (truly random) jitter to be expected in the time it takes to write to the EEPROM with respect to the main system clock, which again can be measured be a high-speed timer/counter.
较新的AVR不得不让看门狗定时器产生一个软件中断的能力,而不是硬件复位。看门狗定时器是由设计由它自己独立的时钟源,这将产生相对抖动可以测量控制。
Newer AVRs have the capability to let the watchdog timer generate a software interrupt instead of a hardware reset. The watchdog timer is by design controlled by its own independent clock source, which yields the relative jitter one can measure.
许多AVR单片机必须有一个专用的定时器/计数器从外部32kHz晶振为实时测量精度更高主频的能力。这个外部晶体是与主时钟不相关事件的另一个来源。 (否则,将是额外的晶体没有用摆在首位...)
Many AVRs have the capability to have a dedicated timer/counter be clocked from an external 32kHz crystal for improved accuracy of real-time measurements. This external crystal is another source of events uncorrelated with the main clock. (Otherwise there would be no use in the extra crystal in the first place...)
后者似乎是有前途的相对高带宽的它的潜力:当显著运行速度更快的系统定时器定时32kHz的每个时钟周期(的600+的因素可以在当前的AVR实现@ 20MHz的!),并假设保守只有1%的测量熵位,这导致以每秒熵的的32000+位的 - 远远超过了μC将永远本身消耗
The latter seems to be promising for its potential of relatively high bandwidth: When timing each 32kHz clock cycle with a system timer running significantly faster (a factor of 600+ can be achieved on current AVRs @ 20 MHz!) and conservatively assuming only 1 bit of entropy per measurement, this results in 32000+ bits of entropy per second - far more than a µC will ever consume by itself.
编辑:同时,我也进行了32kHz的计时器方法的一些简单的测试,而短期效果似乎是pretty质量较差。对每个样品所产生的熵的上限似乎是非常低的,虽然我还没有测试样品从或多或少定期相移原非显而易见的图案。当在有限的观察到这种结果可能是由于这样的事实,我的DUT已经其主时钟可被预期为外部晶体驱动(测量值的precison内)在频率为32kHz的石英同样稳定时间范围。扩展以两个样本之间的时间(分钟?)在很低的带宽可能会返回良好熵,但。 (N.b:测得的抖动也可能部分是由于不同取决于在中断触发的时间正确的执行的机器指令的中断延迟。)
Meanwhile, I have conducted some simple tests of the 32kHz timer approach, and the short-term results seem to be of pretty low quality. The upper boundary on the generated entropy per sample seems to be really low, while I have not even tested the samples for non-obvious patterns originating from more or less regular phase shifts. This result may be due to the fact that my DUT had its main clock driven by an external crystal which may be expected to be (within the precison of the measurements) equally stable in frequency as the 32kHz quartz when observed over a limited time range. Extending the the time between taking two samples (minutes?) will probably return good entropy, yet at a very low bandwith. (N.b.: The jitter measured may also be partly due to varying interrupt latency depending on the machine instruction executed right at the time the interrupt is triggered.)
编辑#2:看起来,我的DUT(ATmega1284)的内部RC振荡器产生显著频率抖动(几kHz /秒);这个振荡器运行确实似乎产生pretty多少熵(千比特/秒)时,由外部32kHz晶振计时。
EDIT #2: It appears that the internal RC oscillator of my DUT (ATmega1284) produces significant frequency jitter (several kHz/s); running on this oscillator indeed seems to produce pretty much entropy (kBits/s) when timed by the external 32kHz crystal.
在一个小实验我最近研究了前两种方法。在我的DUT EEPROM的时间将通常有利于在WDT:
In a little experiment I recently investigated the former two methods. On my DUT the EEPROM timing would generally be advantageous over the WDT:
时序产生约4.82每个写入操作的熵位EEPROM写,而看门狗定时器似乎更稳定的频率明智的收益每看门狗超时约3.92位。此外,EEPROM的写入时间似乎顺利得多高斯分布,其中WDT的分布似乎有点不对称的,并且有很多像差。
Timing the EEPROM write produced about 4.82 bits of entropy per write operation, while the watchdog timer seems more stable frequency-wise yielding about 3.92 bits per watchdog timeout. Additionally, the EEPROM's write times seem much more smoothly Gauss-distributed where the WDT's distribution seems somewhat asymmetric and with a lot of aberrations.
N.b:聚合多个随机的事件为单个熵测量实际可能降低熵得到:快速,在源的随机波动可以部分彼此,得到结果值与来自平均值低偏差补偿。所以,代替定时,例如一个实时第二(RTC的晶体的32K周期)更熵可以采取32k的定时可以预料(一个用于<青霉>每个的晶体的周期)期间相同的时间。
N.b.: Aggregating multiple "random" events for a single entropy measurement may actually degrade the entropy obtained: Fast, random fluctuations in the source may partially compensate each other, yielding result values with lower deviation from the mean value. So, instead of timing, for instance, one real time second (32k cycles of the RTC crystal) much more entropy can be expected from taking 32k timings (one for each cycle of the crystal) during the same time.
AVR-GCC编译的应用程序通常具有片上执行用户code,即之前RAM清为0x00整个的main()。把code到早期 .init 部分提供了访问原始的未初始化的内存内容它是由GCC的初始化程序覆盖之前。
Avr-gcc compiled applications usually have the whole on-chip RAM cleared to 0x00 before executing user code, i.e. main(). Putting code into an early .init section provides access to the raw uninitialized RAM content before it is overwritten by gcc's initialization routines.
由于在RAM的物理存储单元微乎其微方差(比特),并根据一些真随机热噪声(和其他效果),不是每一个小区将时(重新)施加到功率本身初始化到相同的已知状态芯片。功率与一些功能之后芯片的RAM的内容相结合可以产生熵的显著量将在后面使用。 - 这样做的缺点是,当电源已关闭了一段时间,然后再次打开它只会可靠地工作。一个正常的芯片的重置的,由硬件,软件或外部信号,将preserve RAM中的previous内容,因此不(总是)熵的良好来源。然而,由于整个系统(RAM)中的复位时的状态很难在一个相当复杂的应用程序pdicted $ P $一些熵可以立即复位后反正聚集。
Due to miniscule variances in the RAM's physical storage cells (bits) and depending on some true random thermal noise (and other effects), not every cell will initialize itself to the same known state when power is (re-)applied to the chip. Combining the contents of the chip's RAM right after power up with some function can yield significant amounts of entropy to be used later. - The downside of this is that it will only work reliably when power has been turned off for some time and is then turned on again. A normal chip reset, by hardware, software, or external signal, will preserve the RAM's previous content and is therefore not (always) a good source of entropy. However, since the state of the whole system (RAM) at the time of the reset can hardly be predicted in a reasonably complex application some entropy may be gathered immediately after a reset anyway.
熵源的质量在相对于其带宽和由应用使用熵的带宽被看见。在几秒钟的时间熵聚集的一些方法可能不产生熵的一个以上的位,而其他(不是真的上μCs...)可产生100千比特/秒以上。
The quality of an entropy source has to be seen in relation to its bandwidth and the bandwidth of the use of entropy by the application. Some methods of entropy gathering may not yield more than one bit of entropy during some seconds time while others (not really on µCs...) may produce 100 kbit/s or more.
必须指出的是,一个人不能算法从现有熵创建新熵! - 熵的一个位不能计算转化为熵两位
It must be noted that one cannot algorithmically "create" new entropy from existing entropy! - One bit of entropy cannot be computationally transformed to two bits of entropy.
因此,人们不能(上avarage)消耗每单位时间更多的(真实)熵比是从同时熵源(多个)聚集
Thus, one cannot (on avarage) consume more (real) entropy per time unit than what is gathered from the entropy source(s) in the same time.
当需要强大的随机数,这种情况并不少见真正熵一个或多个源具有较强的 PRNG ,用熵聚集地(重新)播种PRNG每次有新的熵是可用的。
When in need of strong random numbers, it is not uncommon to combine one or more sources of real entropy with a strong PRNG, using the entropy gathered to (re-)seed the PRNG each time new entropy is available.
的PRNG可以用来产生更基本多未predictable数据比熵源实际上在同一时间提供
The PRNG can be used to generate much more basically unpredictable data than the entropy source would actually provide in the same time.
作为一种特殊的PRNG的,加密密码功能可以使用,其中,熵用于初始化和更新的加密的密钥。
As a special kind of PRNG, cryptographic cipher functions can be used, where entropy is used to initialize and update the cipher's key.
的Linux的 的/ dev / urandom的 是常用这种方式实现。
Linux's /dev/urandom is commonly implemented this way.
如上所述,它是在一个共同的微控制器生成真随机数相当可行的。作为熵的所有其他来源,需要分析由熵源(个),实熵它们含有的量和每单位时间所产生的熵的量所提供的原始数据,以确定该源是适合于用例或没有。
As discussed above, it is quite feasible to generate truly random numbers on a common microcontroller. As for all other sources of entropy, one needs to analyze the raw numbers provided by the entropy source(s) for the amount of real entropy they contain and for the amount of entropy generated per time unit to determine if the source is suitable for the use case or not.
真实熵源和强大PRNG的组合是通常实现的并应在微控制器上藏汉被使用的方法。
The combination of a true entropy source and a strong PRNG is the approach that is commonly implemented and which should be used on a microcontroller aswell.
编辑:
该PRNG的做法可能不是最好的选择加密的密钥生成的。对于一个应该只使用真正的随机比特产生安全密钥。收集熵这一数额可能需要一些时间(秒也许),但由于通常不是在μC进行密钥生成非常频繁,这很可能是可以接受的。 (每秒负载过重的服务器魔女数百个以上的SSL(HTTPS)连接,这将是相当另一个问题...)
The PRNG approach may not be the best choice for cryptographic key generation. For that one should only use truly random bits to produce a secure key. Gathering this amount of entropy may take some time (seconds maybe), but since key generation is usually not performed very frequently on a µC this may well be acceptable. (On a heavily loaded server witch hundreds or more SSL (HTTPS) connections per second this will be quite another issue...)
要生产出优质的高熵比特流适合密钥生成上述应采用一个随机抽取。
To produce quality high entropy bitstreams suitable for key generation a randomness extractor as mentioned above should be employed.
(在另一方面,如果在源的输出熵的量可以被测量或估计的可以简单地通过(的键位长度的因子缩放密钥长度)/(熵取样)然后使用从熵源的原始低熵数据直接生成这个更长的密钥,然后将具有相同的总熵作为原始长度的完全随机密钥。如果这确实招依赖,但是,对密码如何处理不同lenghts的钥匙。)
(On the other hand, if the amount of entropy in the source's output can be measured or estimated one may simply scale the key length by the factor of (bitlength of key)/(entropy per bit sampled) and then use the raw low entropy data from the entropy source directly to generate this longer key, which will then have the same overall entropy as a fully random key of the original length. If this really does the trick depends, however, on how the cipher handles keys of different lenghts.)
这篇关于是有可能产生使用物理传感器随机数?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
