Any details of the esp8266 hardware random number generator?

I'm interested in finding out how the esp8266' internal hardware random number generator works. I've looked through the data sheet to no avail. Consensus on the Interweb seems to be that it uses mysterious noise. Does anyone have any further details? Ideally a schematic of the entropy capture circuit and randomness extractor/whitener please?

A deep rooted feeling in my water is that it's a bit of a con, and not truly random so I'm looking for evidence either way...


NB. I originally posted this on www.esp8266.com but it seems to be disappeared into pre-moderation purgatory...

Random number generation is not that difficult task and I don't think they have any con hidden there as esp8266 is quite big and reputable company.

But if you still wanna find it then you should try finding the sequence, if there's any repetition or sequence in their random number generator, then you are the winner. :stuck_out_tongue:

There are many tools for analyzing the output of a random number generator, code readily available on line.

One such RNG test suite.

https://webhome.phy.duke.edu/~rgb/General/dieharder.php

Not really what I meant. I'm looking for any circuit diagrams as to how it works on the chip.

I'm fairly convinced now that the RNG is not a true random number generator. It's just a pseudo random generator using some sort of algorithm like a posh randu. With the WIFI turned off, the RNG produces random numbers at the rate of ~360 Mbps on mine. And that's after randomness extraction/ whitening and with the alleged entropy source disabled. That's impossible. The generator should simply stop without an adequate entropy supply, as does /dev/random.

This tweet suggests as much. It sounds like the RDRAND Intel con, which I kinda understand from a security services perspective. I just wondered if anyone knew the internal mechanism.

Noise in Ics is usually derived from a reverse-biased and over-voltaged base-emitter junction.
How many such exist, how they perform, and whether they influence each other, are other questions... as is what they do with the noise...

Sure the random number tests can detect mere prngs?

Well actually it's impossible to tell. A pseudo random sequence is computationally indistinguishable from a true random sequence. That's just computer science. So the only way to identify a TRNG is by inspection. The cost, size, lack of voltage /charge pumps/inductor components and a generation rate of ~360Mbps all strongly suggest to me that it's a PRNG with a little random seeding somewhere. We see exactly the same 'fiddle' on the current Intel chips.

Hence my inquiry after a schematic...

A pseudo random sequence is computationally indistinguishable from a true random sequence.

Really? I mean, LFSRs are considered a type of PRNG, and they're not actually random at all (although I guess they behave OK, statisically? If the returned values are comparable in size to the shift register length, you should be able to detect that you're getting similar sequences repeated. In fact, a function like Arduino's random() is "obviously" Pseudo, since you get the same results every time, if you give it the same seed.
I guess that "really good" PRNGs hide algorithms, have good mixing functions, and very long sequences, so they can be difficult to detect/predict, approaching real randomness...
Some relevant discussion here: randomness - How can it be detected that a number generator is not really random? - Computer Science Stack Exchange

FWIW, the SAMD51 from Atmel claims to have a TRNG that produces 32bits every 84clocks (120MHz, so ... about 45Mbps?), and their manual doesn't have any more details than "entropy source"-->"control logic" and "Passed NIST Special Publication 800-22 Tests Suite and Diehard." I suspect that getting more detailed info than that out of a Chinese silicon producer is going to be pretty impossible. :frowning:

(I remember trying to get a "more real" random number generator for an embedded system, a long time ago.
Hunted all over for entropy, and had a hard time finding more than a couple of bits at a time. PITA!)

How, might I ask, are you getting data out of an ESP8266 at 360Mbps?

I think you're doing your math wrong - it's not plausible that you're getting anything from the ESP8266 at 2.25 times it's clock speed.

Reading the RNG registers in a tight loop, 32bits at a time? 11M read/s? Sounds doable.
Not getting data "out" per se, just poking the RNG...
(So, is the data actually looking random? Not consecutive reads of the same value, because you're forgetting to check some "RNG_READY" bit somewhere (that might not be documented)?

I've looked through the data sheet to no avail.

Oh wait - I thought "no avail" meant that the datasheet was missing the details you were looking for. In fact, I can't find a datasheet that mentions the RNG at all!
All I can find is a twitter post pointing to an inaccessible (temporarily?) web site.

A deep rooted feeling in my water is that it's a bit of a con

An interesting thought. Not on the part of Espressif, AFAICT...

DrAzzy:
How, might I ask, are you getting data out of an ESP8266 at 360Mbps?

Like so, in about 88 ms:-

void loop() {
  uint32_t then = millis();
  for (uint32_t i = 0; i < 1000000; i++) {
    uint32_t randNumber = RANDOM_REG32;
  }
  uint32_t now = millis();
  Serial.println(now - then);
  Serial.println(RANDOM_REG32);
  delay(1000);
}

RANDOM_REG32 is the register where the RNG lives.

If the output is something like (AES-CBC) xor (minuscule/intermittent bit of entropy), it will be scientifically impossible to differentiate from a true random sequence. It will pass all cryptographic randomness tests like Dieharder, TestU01 etc. Yet it will be principally a pseudo RNG.

NB. Software based AES encryption requires ~18 clock cycles per byte. My results seem to indicate ~ 1 clock cycle per byte @ 80MHz. Hmm... :o