Working on README

Makefile

@@ -2,3 +2,6 @@ all: infnoise
 
 infnoise: infnoise.c
 	gcc -Wall -std=c99 -O3 -m64 -march=native -o infnoise infnoise.c -lm
+
+clean:
+	rm -f infnoise

README.md

@@ -0,0 +1,88 @@
+##Infinite Noise Multiplier
+
+![Schematic Infinite Noise Multiplier](infnoise_small/schematic.png?raw=true "Infinite
+Noise Multiplier")
+
+The Infinite Noise Multiplier is an architecture for true random number generators (TRNG).
+Besides being simple, low-cost, and fast, it is easy to get right, unlike other TRNGs.
+
+### The Problem: Noise Sensitivity, and Signal Injection
+
+True random number generators are very difficult to get right.  Generally, they amplify a
+tiny noise signal, perhaps only a microvolt in amplitude, by a factor of millions or
+billions, until the signal is an unpredictable digital signal.  This signal is then
+sampled to see if it's a 0 or 1.
+
+The problem with this aproach is the weak noise source can easily be overridden by other
+nearby signals, which may be under the control of an attacker.  Power supply noise can
+cause zener diodes to avalanche with predictable timing.  Thermal noise can be overridden
+by nearby radio sources, such as EMI from a CPU.  Oscillator drift can be controlled
+through syncrhonous power-supply noise.  Jitter can be controlled through cross-talk and
+power rail droop.  On ICs, substrate currents can override thermal noise.  Cross talk
+strong enough to override these tiny sources of noise can be introduced through radio
+waves, inductive coupling, capacitive coupling, or even "microphonics", due to physical
+vibrations in the system.  These circuits are sometimes even light sensitive.
+
+Systems built with massive amplification of tiny noise sources often require power supply
+filters, EMI shielding, and even light shielding, and even then remain difficult to prove
+secure.  Such systems can be difficult to audit, because their signal traces are
+inaccessible behind layers of shields.
+
+Intel's RDRAND instruction is a perfect example.  It uses massive amplification of thermal
+noise to determine the power-up state of a latch.  Unfortunately, this source of entropy
+is highly power-supply, cross-talk, and substrate current sensitive.  Intel claims to have
+carefully shielded their thermal noise source, but without a thorough pubic audit of both
+the design and layout, including all potential sources of interference, it is not possible
+to trust the RDRAND instruction as the source of entropy for cryptography.
+
+With such strong sensitivity, these TRNG architectures are potential targets for signal
+injection by an attacker, who can cause the TRNG to generate his desired output rather
+than true random data.
+
+### The Solution: Modular Multiplication
+
+Unpredictable noise sources are tiny, and must be massively amplified to be used by an
+TRNG.  Other TRNG architectures amplify these signals until they saturate, becoming
+digital 1's and 0's.  They rely on careful design and shielding to keep outside signals
+from influencing the noise source.
+
+For example, if we amplify a tiny noise source by 1 billion in a system that saturates at
+3.3V, then 1uV of noise will be amplified causing the output to be about 3.3V.  An
+attacker need only introduce at least -1uV to cause the TRNG to saturate at 0V instead.
+An attacker even this tiny influence over the noise source can entirely control the
+output.
+
+This is the wrong aproach.  Instead, TRNGs should use modular multiplication to amplify
+their noise source, because modular multiplication never saturates.
+
+If we multiply a 1uV peak by 1 billion modulo 3.3V, then the result will be about 0.3V,
+which will result in a ditital 0.  If an attacker subtracts 1uV, causing our noise source
+to be at 0.0V, then after amplification, the output is 0V, which still results in a 0.  In
+fact, without knowing the current amplituded of the noise source, there is no signal an
+attacker can add to our noise source that will result in a desired output.  He may be able
+to flip the output bit, but since it was already random, his signal injection fails to
+control the result, which is still random.  In fact, an attacker's injected signal causes
+the output to be *more* random, since an attacker is a nice unpredictable source of
+entropy!  Infinite Noise Multipliers *add* entropy from all noise sources, even those from
+an attacker.
+
+### Variations
+
+There are currently 3 versions of Infinite Noise Multipliers documented here.  The
+infnoise_small directory describes a low part-count design that works well with op-amps
+which have rail-to-rail inputs and outputs.  The infnoise_fast directory contains a faster
+design that uses a few more resistors and an additional op-amp.  This design is suitable
+for use with a wide range of op-amps.
+
+Because Infinite Noise Mulitpliers are switched-capacitor circuits, it is important to use
+components with low leakage.  Op-amps with below 1nA of input bias current will enable
+running at lower frequencies with less power.
+
+There is also a [CMOS version described here][infnoise_cmos/RNG].
+
+### Free As in Freedom
+
+I, Bill Cox, came up with The Infinite Noise Multiplier architecture in 2013.  I hereby
+renounce any claim to copyright and patent rigts related to this architecture.  I'm giving
+it away emphatically freely.  Furthermore, I am aware of no infringing patents and believe
+there are none.  It should be entirely safe for use in any application.

infnoise_cmos/RNG.html

@@ -0,0 +1,112 @@
+<html><head>
+<meta http-equiv="content-type" content="text/html; charset=windows-1252"></head><body><h1>The Infinite Noise Multiplier</h1>
+<p>This design is an "Infinite Noise Multiplier", a hardware true random number
+generator.  The name was inspired by my daughter, who is a never ending source
+of randomness.</p>
+
+<p>The idea is simple: there is noise in every system.  All you have to do is
+amplify it.  This switched-cap circuit has a voltage V, which it multiplies by
+2 every cycle.  If V is greater than Vref/2, then it subtracts Vref/2, thus
+keeping V between 0 and Vref/2.  The truly random output bit is just the output
+of the comparator between V and Vref/2. </p>
+
+<p>This is best understood digitally.  If you have a random value between 0 and
+1, say .1001110110001, then this circuit would multiply by 2, getting
+1.001110110001X, where X is some new random noise.  It would subtract out 1
+because the value is &gt; 1, and if X is 0, we get: 0.0011101100010.  Continuing
+this process, we shift out the bits one at a time, while noise creates random
+data in the least significant bits.  The circiut is insensitive to non-random
+signal injection.  If you add a non-random signal to the value, you get
+different, but still random bits shifting out.</p>
+
+<p>There is a bit more to it than this.  The voltage followers can only drive
+down to about 0.1V, which is good, because it creates a voltage to start
+multiplying.  The multiplier only multiplies by about 1.8 instead of 2, which
+is also good, for keeping the voltage from running away.  We subtract slightly
+less than Vref/2 so that V is always between about .2V and Vref/2V.  The
+voltage followers introduce significant distortion and voltage offset.  All
+this results in non-perfect random output.  From SPICE simulations it seems
+that there may be a 25-ish% correlation between bits (this requires more
+analysis), and a 10-ish% bias for more 1's than 0's.  To get high quality random
+data out, I have to XOR many of these partially random bits together.  Here is
+the math to support this approach:</p>
+
+<p>Let b represent the maximum amplitude of a bias/correlation function between
+bits so that the probability of an attacker guessing correctly an output bit
+knowing all the surrounding bits is no higher than 0.5 + b.  As I XOR these
+bits together, the probability of being able to guess the bit drops.  Call the
+max amplitude of the bias/correlation when XORing n bits together B(n).  Let
+P(n) be the probability of an attacker correctly guessing the output bit with
+n bits XORed together.  Then: </p>
+
+<p>
+P(n+1) = (.5 + b)(.5 + B(n)) + (.5 - b)(.5 - B(n)<br>
+P(n+1) = .5 + 2*b*B(n)<br>
+B(n+1) = 2*b*B(n)<br>
+B(n) = (2*b)^n*b<br>
+</p>
+
+<p>I am XORing 80 bits together.  With b = .25, B(80) = 2e-25, which should be more than
+adequate for any crypto purposes.  However, I still recommend that the output of this RNG
+be further randomized with a cryptographically strong pseudo random number generators or
+hash function, just to be sure.</p>
+
+<p>I am implementing this design on a tiny .35u mixed-signal IC.  It occupies
+about 0.04 mm^2, and runs at 8MHz in SPICE simulations.  25 fit per mm^2, cnd
+each consumes about a milliwatt.  Each outputs 8Mbit/sec, but XORing 80 bits
+together reduces it to 100Kbit/sec.  Per mm^2, it should generate 2.5Mbit/sec
+of crypto ready random bits.  This is a very low power process.  In a high
+speed process, it should be possible to run at 100MHz instead of 8MHz, and the
+circuit should shrink dramatically.</p>
+
+<p>Here are my awful hand-drawn schematics.  The first schematic shows that on
+phase 1 we sample the voltage from the previous cycle, and store it on two hold
+capacitors in parallel.  An NMOS transistor is used as a switch from the buffer
+of the previous stage.  During phase 2, we use three more NMOS switches to
+stack the two capacitors, which in an ideal world would multiply the voltage by
+2, but because of parasitics, it only does about 1.8.  The output of the
+stacked capacitors feeds through a voltage-follower buffer into the next stage.
+Here there are two switchies: one to feed another hold capacitor during phase 2,
+and another to feed an almost identical hold capacitor also in phase 2.  The
+first hold capacitor feeds the positive terminal of a comparator, while Vref/2
+feeds the negative.  This is a clocked comparator that compares its inputs on
+the start of phase 1.  If the held voltage is greater than Vref/2, the
+comparator subtracts a charge from the other hold capacitor that causes its
+voltage to drop ideally by Vref/2.  Due to parasitics it's somewhat less than
+this.  This second hold capacitor where the subtraction occurs then feeds into
+another voltage follwer buffer, which loops back to where we started, so the
+process can repeat.  The voltage follower schematic is also shown, and is
+simply 4 mosfets: two for current sources and a matched diff pair.  It is a
+standard source-coupled voltage follower.  Vref/2 is generated with a simple
+resistor divider.  The two phases of the clock are generated with back-to-back
+NOR gates, which is also standard.  The clocked comparator is a standard
+circuit as well, which is based on two inverters feeding back on each other,
+with some mosfets to reset the inverter outputs to 1 when the input clock is
+high, and when it goes low, the inverters are connected, and will flip one way
+or the other.  Two mosfets driven by the input voltages cause one side or the
+other to win.  The bias voltage generator for the buffers current sources is
+also shown, which is a resistor feeding into a mirror.</p>
+
+<img src="RNG_files/schem1.png" alt="schematic 1">
+<img src="RNG_files/schem2.png" alt="schematic 2">
+<img src="RNG_files/schem3.png" alt="schematic 3">
+
+
+<p>Here is a simulation of 80 clock cycles, showing typical random data that
+would be XORed together to generate one output bit.  The random output is Q.
+The bottom signal is a 1MHz sine wave which is coupled into the hold
+cap after buffer1 through a capacitor 10% as large as the hold capacitor.  The
+point is to show that non-random sources of noise do not cause the output to be
+less random.  This circuit is highly insensitive to external signals.</p>
+
+<img src="RNG_files/RNG5.png" alt="SPICE simulation">
+
+<p>The main sources of noise in this circuit are primarily shot noise and
+thermal noise.  Shot noise is generated every time an electron is accelerated
+through the input transistors of the voltage followers.  Thermal noise is
+generated in the bias current resistor.  However, the source of noise in the
+SPICE simulation is the numerical errors in the simulator, which dominate over
+the quieter shot and thermal noise.  The actual source of noise should not make
+any differece.  Every analog signal has noise.  It simply has to be amplified
+for us to use it.</p>
+</body></html>