1 of 19

RF based True Random Number Generator (TRNG)

Tom Broumels

tom.broumels@os3.nl

Philipp Mieden

philipp.mieden@os3.nl

2 of 19

True Random Number Generators (TRNG)

2

OneRNG

It lost, because its name is not fancy enough

https://altusmetrum.org/ChaosKey/

https://github.com/waywardgeek/infnoise

Geiger counter

Infinite Noise

ChaosKey

RTL_SDR Dongle

RTL2832 chipset

DVB-T

Quantis QRNG

HackRF One

… and RF?

When talking about random number generators, we can distinguish two different classes: psuedo random and True random number generators.

Pseudo random number generators are deterministic, so knowing the algorithm and seed enables an attacker to predict the next generated number. To prevent this, entropy from hardware could be an outcome.

There are different sources for randomness (such as noise in an electrical circuit, radiation, user input or quantum effects). The input of such devices is not always nicely distributed, this can be solved by combining sources or randomness extraction.

We have focussed on getting random data out of the SDR hardware.

~50 sec.

==========================================================================================================================================

“but are not truly random. This is because the software methods in PRNG are deterministic, and the sequence of numbers are determined by an initial value and keys. “

Sourece: https://www.ncbi.nlm.nih.gov/pmc/articles/PMC6806610/pdf/sensors-19-04130.pdf

We want high entropy random numbers.

Increasing noise makes good randomness:

https://www.ncbi.nlm.nih.gov/pmc/articles/PMC6806610/pdf/sensors-19-04130.pdf

construct very good TRNGs at a relatively low cost. The advantages of the proposed true random number generator using FM radio signals are as follows. First, there are various channels for wireless communication, such as mobile communication, DMB, and so on; nevertheless, FM broadcasting is still used worldwide, and becomes more important in disaster situations. It is expected that FM radio signals are continuously broadcasting, so using it as a TRNG is likely to be useful in the future, too. Second, FM bands receive different signals according to their geographic locations, and different signals are collected due to ambient noises even at the same location and time. This characteristic is a good source for generating true random numbers, because it is heavily affected by reception and ambient noise

3 of 19

TRNG Properties

3

NIST Special Publication 800-90B Recommendation for the Entropy Sources Used for Random Bit Generation

NIST 800-22 Entropy source model

Properties of suitable TRNGs are described in NIST recommendations.

Analog noise, in our case radio waves on a quiet frequency, is digitized. If necessary, the entropy is increased by conditioning before it can be used. To prevent security issues due to malfunctions, health tests are recommended to detect issues with the generated data and to inform the system that is using that RNG.

But how to test if something is random?

~40 sec.

=====================================================================================================

Lets assume for now that these recommendations are not making crypt analysis easier for the NSA.

For validating the RNG, at least 100000 sample values should be obtained from the noise source.

A good random number generator generates values that are both independent (so future generated values are not influenced by generating a value) and unpredictable (there is 50/50 chance for each bit).

4 of 19

TRNG Testing

4

NIST Special Publication 800-22 Revision 1a: “A Statistical Test Suite for Random and Pseudorandom Number Generators for Cryptographic Applications”

Example Statistical Test Tool (STS) output:

Another NIST publication describes a set of statistical tests that can identify bad randomness. So it can prove that something is not random, not that something is random. Nor does it check for implementation issues.

All tests combined test for uniformity, scalability and consistency.

Simple examples of test are The Frequency Test, counting the frequencies of ones and zeros, or the Runs test to check for runs of 0’s or 1’s.

The test suite takes random data as input, divides it in a specified amount of chunks, and per test calculates a probability p for each chunk. The distribution of the p values over the classes C1 to C10 is displayed in the p-value column and if above a certain value, the proportion of tests is valid -if- it is above a certain threshold.

Our experiments are performed using 1000 samples of 100.000 bits per RNG.

~45 sec

==================

All tests combined test for uniformity (is at any point 50/50 change?), scalability (is a subsequence extracted also random?) and consistency (is randomness reached repeatedly?)

Vincent Breider(offline)

_{2:02 PM}

hint: ent / chi-square, montecarlo pi approximation

Not sure about that hint :)

Knowledgeable crypto practitioners do not calculate π using a Monte Carlo method to determine if a series of numbers are random.

https://crypto.stackexchange.com/questions/24610/why-calculate-pi-to-estimate-randomness

Chi-square is part of the test suite, as a reference distribution:

A number of tests in the test suite have the standard normal and the chi-square ( χ2 ) as reference distributions.

Nist Statistical Test Suite documentation: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-22r1a.pdf

NIST validation software: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/random-number-generators#DRBG

Nist entropy measurement tool info :https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-22r1a.pdf

“but are not truly random. This is because the software methods in PRNG are deterministic, and the sequence of numbers are determined by an initial value and keys. “

Sourece: https://www.ncbi.nlm.nih.gov/pmc/articles/PMC6806610/pdf/sensors-19-04130.pdf

We want high entropy random numbers.

Increasing noise makes good randomness:

https://www.ncbi.nlm.nih.gov/pmc/articles/PMC6806610/pdf/sensors-19-04130.pdf

construct very good TRNGs at a relatively low cost. The advantages of the proposed true random number generator using FM radio signals are as follows. First, there are various channels for wireless communication, such as mobile communication, DMB, and so on; nevertheless, FM broadcasting is still used worldwide, and becomes more important in disaster situations. It is expected that FM radio signals are continuously broadcasting, so using it as a TRNG is likely to be useful in the future, too. Second, FM bands receive different signals according to their geographic locations, and different signals are collected due to ambient noises even at the same location and time. This characteristic is a good source for generating true random numbers, because it is heavily affected by reception and ambient noise

5 of 19

Randomness and SDR

5

Receiver signal = Sender signal - Loss + Noise

Noise: atmospheric, thermal, radio frequency interference

HackRF

RTL_SDR

Because noise is what we are looking for, we will expect quiet frequencies to be interesting because noise will make the major part of the signal. If we look at the DBV and HackRF receivers using a spectrum analysis without applying gain, we already see a difference in noise received. Given the costs of the DVB, we suspect it to be thermal noise.

~ 20 sec

======================================================================================================

Hackrf 1 intro

atmospheric noise, radio frequence interference, thermal noise

atmospheric noise (electrical processes in the atmosphere), radio frequence interference (manmade signals picked up by antenna), thermal noise (circuit, thermal motion of molecules).

Nist entropy measurement tool info :https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-22r1a.pdf

“but are not truly random. This is because the software methods in PRNG are deterministic, and the sequence of numbers are determined by an initial value and keys. “

Sourece: https://www.ncbi.nlm.nih.gov/pmc/articles/PMC6806610/pdf/sensors-19-04130.pdf

We want high entropy random numbers.

Increasing noise makes good randomness:

https://www.ncbi.nlm.nih.gov/pmc/articles/PMC6806610/pdf/sensors-19-04130.pdf

construct very good TRNGs at a relatively low cost. The advantages of the proposed true random number generator using FM radio signals are as follows. First, there are various channels for wireless communication, such as mobile communication, DMB, and so on; nevertheless, FM broadcasting is still used worldwide, and becomes more important in disaster situations. It is expected that FM radio signals are continuously broadcasting, so using it as a TRNG is likely to be useful in the future, too. Second, FM bands receive different signals according to their geographic locations, and different signals are collected due to ambient noises even at the same location and time. This characteristic is a good source for generating true random numbers, because it is heavily affected by reception and ambient noise

6 of 19

Experiment: Raw signal data (different frequencies)

6

https://www.electronics-notes.com/articles/basic_concepts/electronic-rf-noise/radio-frequency-noise-basics.php#:~:text=White%20noise%3A%20White%20noise%20is,all%20frequencies%20of%20interest%20equally.

Without interference: 148 out of 188 tests failed

When sending continuously: 152 out of 188 tests failed → Adding something here?

Conclusion: poor results

Raw signal data

Test

Using

STS

- 433 MHz (IoT, License free)

- 790 MHz (MFCN, PPDR)

- 862 MHz (Telecom)

- 1300 MHz (Aeronautical)

- 1559 MHz (GNSS: Glonass, Galileo)

- 2200 MHz (Space research, Radio Astronomy)

1 MHz (Broadcasting)
5 MHz (Space Research)
10 MHz (Standard frequency and time)
74 MHz (Radio Astronomy / Amateur)
95 MHz (FM)
145.80 MHz (ISS)

https://docdb.cept.org/download/2ca5fcbd-4090/ERCReport025.pdf

Dutch Frequency Table: https://wetten.overheid.nl/BWBR0035791/2020-10-20

The previous DVB output might look pretty random at a first glance, but we measured the quality of generated data. It turned out to be not random at all, passing only around one fifth of the tests.

We ran similar tests on input captured on different frequencies.

~ 20 sec.

======================================================================================================

Nist entropy measurement tool info :https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-22r1a.pdf

“but are not truly random. This is because the software methods in PRNG are deterministic, and the sequence of numbers are determined by an initial value and keys. “

Sourece: https://www.ncbi.nlm.nih.gov/pmc/articles/PMC6806610/pdf/sensors-19-04130.pdf

We want high entropy random numbers.

Increasing noise makes good randomness:

https://www.ncbi.nlm.nih.gov/pmc/articles/PMC6806610/pdf/sensors-19-04130.pdf

construct very good TRNGs at a relatively low cost. The advantages of the proposed true random number generator using FM radio signals are as follows. First, there are various channels for wireless communication, such as mobile communication, DMB, and so on; nevertheless, FM broadcasting is still used worldwide, and becomes more important in disaster situations. It is expected that FM radio signals are continuously broadcasting, so using it as a TRNG is likely to be useful in the future, too. Second, FM bands receive different signals according to their geographic locations, and different signals are collected due to ambient noises even at the same location and time. This characteristic is a good source for generating true random numbers, because it is heavily affected by reception and ambient noise

PPDR = Public Protecton and Disaster Relief

MFCN = mobile/fixed communications networks

7 of 19

Attack Vector - Influencing input

7

https://www.electronics-notes.com/articles/basic_concepts/electronic-rf-noise/radio-frequency-noise-basics.php#:~:text=White%20noise%3A%20White%20noise%20is,all%20frequencies%20of%20interest%20equally.

hackrf_transfer -t 80H.bin -f 433920000 -x 47 -l 40 -g 62

call hackrf_set_sample_rate(10000000 Hz/10.000 MHz)

call hackrf_set_freq(433920000 Hz/433.920 MHz)

No interference:

148/188 tests

failed

Interference:

152/188 tests

failed

Another problem is that by continuously sending data with the HackRF, we could further reduce the entropy leading to even more failed tests. At the bottom right you can see a visual pattern induced.

So it probably is a bad idea to directly use this data as input, as one can use this to influence the uniformity and with that the predictability.

~ 25 sec.

------------------------------------------------------------------------------------------------------------------------------------------------------------------

Nist entropy measurement tool info :https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-22r1a.pdf

“but are not truly random. This is because the software methods in PRNG are deterministic, and the sequence of numbers are determined by an initial value and keys. “

Sourece: https://www.ncbi.nlm.nih.gov/pmc/articles/PMC6806610/pdf/sensors-19-04130.pdf

We want high entropy random numbers.

Increasing noise makes good randomness:

https://www.ncbi.nlm.nih.gov/pmc/articles/PMC6806610/pdf/sensors-19-04130.pdf

construct very good TRNGs at a relatively low cost. The advantages of the proposed true random number generator using FM radio signals are as follows. First, there are various channels for wireless communication, such as mobile communication, DMB, and so on; nevertheless, FM broadcasting is still used worldwide, and becomes more important in disaster situations. It is expected that FM radio signals are continuously broadcasting, so using it as a TRNG is likely to be useful in the future, too. Second, FM bands receive different signals according to their geographic locations, and different signals are collected due to ambient noises even at the same location and time. This characteristic is a good source for generating true random numbers, because it is heavily affected by reception and ambient noise

8 of 19

Attack Vector - Replication of hardware

8

9 of 19

Randomness Extraction - Von Neumann extractor

9

Bit loss measured between 69% and 94%

Debiasing algorithm works on pairs of bits:

- If the input is 00 or 11: input is discarded (no output)

- If the input is 01: output a 0

- If the input is 10: output a 1

Our implementation with unit tests: https://github.com/dreadl0ck/debias

https://www.esat.kuleuven.be/cosic/blog/co6gc-deterministic-extraction-for-truly-random-bits/

If the distribution of bits is not uniform, Von Neumann can be used to correct this.

The algorithm looks at two bits.

If the its are the same, the bits are discarded.
If the bits differ, the first bit is returned.

In the process, typically around 75% of the bits are lost.

===============

The Von Neumann extractor can be shown to produce a uniform output even if the distribution of input bits is not uniform so long as each bit has the same probability of being one and there is no correlation between successive bits

Santha and Vazirani proved that several bit streams with weak randomness can be combined to produce a higher-quality quasi-random bit stream.^[9]

Even earlier, John von Neumann proved that a simple algorithm can remove a considerable amount of the bias in any bit stream^[10] which should be applied to each bit stream before using any variation of the Santha–Vazirani design.

10 of 19

Kaminsky

Debiasing

10

SHA256 created from discarded output bytes
Hash is used as input for AES256-CBC cipher
IV: set to a static value for our experiments
Output of encryption is the final result

Kaminsky

Debiasing

11 of 19

Attack Vector: Denial of Service on Von Neumann

11

An attacker could create a signal that decodes to a stream of discarded information:

Signal contains large amounts of consecutive zeros or ones
Data generation could be blocked, since Von Neumann debiasing outputs no bytes
Faraday Cage to defend against interference?

No more atmospheric noise!

Antenna could be disabled, to only capture thermal noise from device

12 of 19

Attack Vector: Partial Denial of Service on Von Neumann

12

0xFF bytes: 166.4 failed tests on average (SD=5.6)

1.8MB on average (SD=0.2MB/s) per 100MB

No interference: 116.2 failed tests on average (SD=19.8)

26.6MB on average (SD=1.2MB) per 100MB

170,167,161,172,162

120,124,123,128,86

Failed with interference: 166.4 ±5.561 (±3.34%)

Failed without interference: 116.2 ±19.726 (±16.98%)

interf.

2206713,1739470,1753536,1727665,1821945

1849865.8 ±233635.669 (±12.63%)

1.8MB/s (SD = 0.2MB/s)

no interf.

24798401,26747774,27085777,27219614,27206539

26611621 ±1188135.318 (±4.46%)

26.6MB/s (SD = 1.2MB/s)

2.2, 1.7, 1.8,1.7,1.8 = 1.84 ±0.239

8.3,8.9,9.0,9.1,9.1 = 8.88 ±0.493

fileName,bytesIn,bytesOut,duration,sizeDecrease,inputBytesPerSecond,outputBytesPerSecond

100M_interf_0xff_1.bin,100000000,2206713,1.462456817s,-97.79%,100 MB/s,2.2 MB/s

100M_interf_0xff_2.bin,100000000,1739470,1.280736967s,-98.26%,100 MB/s,1.7 MB/s

100M_interf_0xff_3.bin,100000000,1753536,1.384741582s,-98.25%,100 MB/s,1.8 MB/s

100M_interf_0xff_4.bin,100000000,1727665,1.301156558s,-98.27%,100 MB/s,1.7 MB/s

100M_interf_0xff_5.bin,100000000,1821945,1.462163181s,-98.18%,100 MB/s,1.8 MB/s

100M_no_interf_1.bin,100000000,24798401,3.411602953s,-75.20%,33 MB/s,8.3 MB/s

100M_no_interf_2.bin,100000000,26747774,3.398315306s,-73.25%,33 MB/s,8.9 MB/s

100M_no_interf_3.bin,100000000,27085777,3.709802322s,-72.91%,33 MB/s,9.0 MB/s

100M_no_interf_4.bin,100000000,27219614,3.806987751s,-72.78%,33 MB/s,9.1 MB/s

100M_no_interf_5.bin,100000000,27206539,3.775998585s,-72.79%,33 MB/s,9.1 MB/s

SD = Standard Deviation

13 of 19

Results

13

Throughput measurements for our debiasing implementations and NIST tests:

Hardware	Final Output Rate	Failed tests (out of 188)
RTL_SDR HackRF /dev/random /dev/urandom rtl_entropy rfrand	~7.82 MB/s (VN) ~7.0 MB/s (KA) ~4.91 MB/s (VN) ~3.6 MB/s (KA) 0.4 MB/s (SD=0.05) 34.6 MB/s (SD=6.57) 100 - 300 kB/s 900 kB/s - 1.2 MB/s	7-165 (VN) 1-3 (KA) 157-162 (VN) 1-4 (KA) 3-5 1

High entropy signals with VN debiasing only:

74 MHz (Radio Astronomy / Amateur) => 14 failed tests
145.80 MHz (ISS) => 7 failed tests

Random:

481, 467, 420, 370, 398, 374

99% confidence: 418.3333kB/s ±49.357 (±11.80%)

URandom:

38.7, 37.3, 41.2, 37.0,26.9,26.7

99% confidence 34.6333MB/s ±6.569 (±18.97%)

Hardware: Capture rates

Output Rate VN:

DVB captures yield higher output data rate due to higher randomness
HackRF yield lower output data rate due to lower randomness

Output Rate KA:

Kaminsky output data rate is lower because of additional computational overhead of AES
AES is usually hardware accelerated

Failed Tests:

DVB vs HackRF

DevRandom: blocking

URandom: not blocking

Explain high entropy signals with VN only.

===============

Nist entropy measurement tool info :https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-22r1a.pdf

“but are not truly random. This is because the software methods in PRNG are deterministic, and the sequence of numbers are determined by an initial value and keys. “

Source: https://www.ncbi.nlm.nih.gov/pmc/articles/PMC6806610/pdf/sensors-19-04130.pdf

We want high entropy random numbers.

Increasing noise makes good randomness:

https://www.ncbi.nlm.nih.gov/pmc/articles/PMC6806610/pdf/sensors-19-04130.pdf

construct very good TRNGs at a relatively low cost. The advantages of the proposed true random number generator using FM radio signals are as follows. First, there are various channels for wireless communication, such as mobile communication, DMB, and so on; nevertheless, FM broadcasting is still used worldwide, and becomes more important in disaster situations. It is expected that FM radio signals are continuously broadcasting, so using it as a TRNG is likely to be useful in the future, too. Second, FM bands receive different signals according to their geographic locations, and different signals are collected due to ambient noises even at the same location and time. This characteristic is a good source for generating true random numbers, because it is heavily affected by reception and ambient noise

14 of 19

Conclusions

14

Signals on the frequencies tested are not random enough to pass the NIST STS test suite unaltered

randomness extraction using Von Neumann and Kaminsky can be used

RTL_SDR hardware delivered better entropy, due to higher amount of noise, resulting in more bits left after randomness extraction in comparison with the HackRF

The random number generator should be able to detect failures and behave in a blocking way if randomness cannot be guaranteed

This can be used for Denial of Service attacks, see demo video

Alternatives that are less prone to remote influences are appealing alternatives

ChaosKey etc
Or use proven CSPRNG algorithms and libraries such as Fortuna

TODO

===============

Optimal: Faraday cage to avoid interference

Only thermal noise from devices inside available

Nist entropy measurement tool info :https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-22r1a.pdf

“but are not truly random. This is because the software methods in PRNG are deterministic, and the sequence of numbers are determined by an initial value and keys. “

Sourece: https://www.ncbi.nlm.nih.gov/pmc/articles/PMC6806610/pdf/sensors-19-04130.pdf

We want high entropy random numbers.

Increasing noise makes good randomness:

https://www.ncbi.nlm.nih.gov/pmc/articles/PMC6806610/pdf/sensors-19-04130.pdf

construct very good TRNGs at a relatively low cost. The advantages of the proposed true random number generator using FM radio signals are as follows. First, there are various channels for wireless communication, such as mobile communication, DMB, and so on; nevertheless, FM broadcasting is still used worldwide, and becomes more important in disaster situations. It is expected that FM radio signals are continuously broadcasting, so using it as a TRNG is likely to be useful in the future, too. Second, FM bands receive different signals according to their geographic locations, and different signals are collected due to ambient noises even at the same location and time. This characteristic is a good source for generating true random numbers, because it is heavily affected by reception and ambient noise

15 of 19

Questions?

15

Security and Network Engineering

https://os3.nl

University of Amsterdam

https://uva.nl

Research notes and (CS unverified) TRNG code: https://github.com/dreadl0ck/rf-entropy

16 of 19

Data Rates and Entropy measurements during attacks on Von Neumann debiasing

16

Output rate of random data drops due to discarding in VN

Input entropy drops due to interfering signal

Entropy not affected by attack

10011001

01010101

10011001

01010101

17 of 19

17

Bonus Video: Interfering with Von Neumann debiasing

18 of 19

Bonus: Entropy analysis of raw input data

18

19 of 19

Bonus: Key Prediction attack on Kaminsky Debiasing

19

If an attacker would have a strong RF signal it would allow to:

Control the discard buffer that is hashed and used as AES key (eg: 0000000…)
Control the output buffer (e.g: 00000...)

Allows for known plaintext attacks

The security of the final AES encryption is reduced to the used IV (16 byte value)

could be recovered with exhaustive search in worst case