FUCKGOATS
by No Such lAbs (MPEx:S.NSA)
No Such lAbs is pleased to announce its first hardware product, the
FUCKGOATS !
FUCKGOATS is an
auditable True Random Number Generator suitable for use with workstations, servers, or any other hardware (such as a doomsday device), if the hardware in question is capable of taking a serial bit stream (via RS-232-to-USB converter, or directly, or by whatever other means such as a CAN bus).
You can use it to feed your /dev/random pool, for instance.
Why is entropy important ?
As the old adage goes,
"Any one who considers arithmetical methods of producing random digits is living, of course, in a state of sin."
Any Turing machine (such as any desktop or laptop computer, tablet, smartphone or other digital device of any type, kind, make or vintage, including without limitation any machinery used by any government for any purpose, be it nuclear tests, space flight, military applications not to mention Tamagotchis and old Nintendo boxes) is, by definition (and without exception possible in theory or ever encountered in practice), a
square keyhole. It can be opened equally well by all those who possess the mighty secret of the shape of its key : a square.
Entropy provides the only solution available, and the only solution possible to this problem. The only way known, and the only way that can ever be or will ever be devised to transform
a computer into
my computer, as a matter of fact rather than an exercise in delusion -- relies on the use of entropy. There is not, nor could there ever be, any alternative.
Consequently, the only fair statement of the situation is to point out that entropy is not merely fundamental, but
specifically required for
personal as opposed to
collectivist computing ; and as technological development pushes society further into the digital age, entropy becomes ever more central as the only available building block of individual existence. In short : without entropy, you don't exist, because without entropy -- there is no
you, there's only a morass of
"us".
Where does entropy come from ?
Entropy comes from nature, and from nature only. While certain natural phenomena (such as Johnson-Nyquist noise and radioactive decay) are most readily mined for their entropy, other natural phenomena can in principle be used.
Can computers produce entropy ?
The very idea of
digital electronics revolves around a set of techniques for countering the effects of entropic phenomena (e.g., electrical noise, background radiation, variations in temperature) and thereby creating maximally
deterministic automata. And so, a digital computer per se is uniquely unsuited to the task of producing entropy, in much the same way that a blast furnace is uniquely unsuitable for refrigeration. It must be augmented with a device specifically built for the purpose of entropy collection.
My computer came with a source of entropy, which appears to work. Why would I want a new one ?
No computer sold today includes any such thing as an
auditable generator of entropy. In particular, any circuit integrated into a CPU die is ipso facto non-auditable: current technology offers no practical, non-destructive means of disassembling and testing the individual components of such a device. Various other entities purport to offer TRNG units for sale. Similarly, various "other entities" purport to offer Bitcoin substitutes. We propose that on one hand all those other entities are politically suspect, in the sense that on more or less superficial analysis they all appear to be fronts for the same one entity known to dedicate itself to the subversion of personal computing ; and on the other hand technologically suspect, in the sense that none which make a sufficient set of claims to meet the definition of a True Random Number Generator also offer sufficient backing of their claims to convince anyone. In short - everyone else hawking TRNGs is either directly working for the NSA, or else indirectly (through virtue of stupidity) working for the NSA, but in either case can not be trusted.
Is there such a thing as better or worse entropy ?
Entropy is an abstract physical concept, much like the notions of mass and energy. While certain specified objects can have more or less mass or energy than others, it can not be the case that they have a
better or
worse mass or energy. In the abstract there's only one entropy, just like there's only one inertial mass.
Unlike mass (in the pedestrian Newtonian understanding) and like energy, especially of the kinetic variety, entropy is not a property of static objects, but of systems. It is also a mistake to refer to the entropy of a number -- numbers are not physical objects at all, and there is no way to guarantee of a useful relationship between any number and the entropy of a system.
The number 5555 doesn't have more or less entropy than the numbers 4444 or 8315. The physical system with which these numbers were produced can be more or less entropic, but if all three came out of the same apparatus, then it's improper to say that one is "more random" than another -- entropy is an attribute of the process which produced them. The number 5555 can be the output of any kind of physical measurement, of a system with any degree of entropy, irrespective of the fact that 5555 may contradict naive expectations of patternlessness in entropic processes. (Also in this same vein, clouds are really not dragon shaped.)
But I've heard that entropy is measurable! And that there are several kinds of entropy.
Purely
mathematical definitions of the so-called entropy
of a bitstring exist (e.g., A. Kolmogorov's, or C. Shannon's.) In fact, a rough estimator of this kind of entropy is met with on nearly all personal computers: the ubiquitous 'PKZIP' data compressor. However, this type of entropy, even when measured over a sequence of sample strings in an effort to determine the statistical properties of
the generator, is merely incidental to the generator's
cryptographic entropy. The two concepts are not interchangeable!
Confusing this mathematical definition of the entropy of bitstrings with the cryptographical definition of entropy of TRNGs is very dangerous for your cryptographic needs. This danger does not stay theoretical, but on the contrary often shows its claws in practice. The deranged practice of "whitening" for instance comes exactly from a misguided attempt to improve the cryptographic value of random streams by making them better fit the mathematical definition of entropy, at a cost of a multifaceted decrease in the actual security of the system.
What is cryptographic entropy?
Mathematical entropy, however defined, is a property of a particular bitstring. On the other hand, cryptographic entropy is a property of a system comprised of your entropy generator and the enemy. A cryptographer is interested in the likelihood that a bitstring produced by a particular generator is known to, or deducible by, the enemy. Mathematical analysis of an entropy generator is only of interest from a cryptographic point of view in so far as it provides answers to this question.
This concept is best illustrated by example. The mathematical entropy of the digits of Pi is very high by any measure. The cryptographic entropy of such a generator, however, is entirely nonexistent - the enemy will sooner rather than later figure out your process and subvert your expectations.
Similarly nonexistent is the cryptographic entropy of any bitstring displayed on a public Web site -- regardless of how said string was generated!
How does FUCKGOATS obtain its entropy ?
Here's a schematic representation of FUCKGOATS :
------------------------------------------------------------------------------
Figure 1. Connections in Standard FG Kit.
------------------------------------------------------------------------------
+---------+
|+-------+|
|| ||
||Cardano||
|| RNG ||
|| A ||
|| ||
|+-------+|
+---------+
| | |
3 R G
V N N
3 G D
| | |
+---------+
| |
| +----+ |
+-----------+ | |CPLD| |
| CP1202, |----5V-----| +----+ |
+----+ FT232, |----GND----| |
|USB or equiv. | | 'M' +-+ |
+----+ USB UART |<---RXD---<| |J| |
| module |>---RST--->| |T| |
+-----------+ | |A| |
| |G| |
| +-+ |
+---------+
| | |
G R 3
N N V
D G 3
| | |
+---------+
|+-------+|
|| ||
||Cardano||
|| RNG ||
|| B ||
|| ||
|+-------+|
+---------+
------------------------------------------------------------------------------
FUCKGOATS comes with a standard USB-to-TTL converter (which allows the unit to be plugged into any machine with an USB connector) as well as a Modulator, ("M" in the illustration) and two
Cardano RNG 'TW' Analogue modules. There's also a variant available with an RS232-to-TTL converter in place of the USB unit. Bulk purchasers may request FUCKGOATS kits without any TTL converter (these can be sourced independently, at a cost of about $1 per unit in any serious quantity).
It is worth noting that
only the RX pin of the converter's RX/TX pair is connected - during normal operation there is no communication of any kind from the host computer to the RNG. The RNG gets filtered, regulated power supply current plus the reset signal on boot. That's it.
The Cardano RNG 'TW' is an analogue circuit which produces a logic-level output fluctuating over time. Purchasers will receive a copy of its schematic, and are encouraged to create and publish their own compatible analogue modules. Any circuit which is capable of producing a nondeterministically-fluctuating logic-level voltage (e.g., a Geiger counter with trivial modifications) is a suitable substitute for the 'TW' - simply remove the TW and connect the substitute. This operation can be carried out bilaterally or on only one of the two ends, FUCKGOATS will carry on in either case. No Such lAbs may offer variant Analogue RNG modules of its own in the future.
The Modulator (M) combines inputs from the two Cardano RNG 'TW' included, performs debiasing with the Von Neumann Fair Coin algorithm, and modulates the result into bursts of serial bitstream at 115200 baud (8 b/b, 1 stop, 0 parity.). Purchasers will receive full schematics for the Modulator unit, a copy of the CPLD configuration (in Verilog), and also a copy of the compiled bitstream
that was shipped with their particular unit. The creation, and, ideally, publication of compatible Modulator units is welcome.
FUCKGOATS' design departs radically from the shamanic traditions of the computer-insecurity industry as you know it. The FUCKGOATS unit consists of three interchangeable types of component, which may be substituted, mixed and matched much in the manner of LEGO blocks. They can also be tested individually using deterministic input-to-expected-output mappings. A Cardano RNG 'TW' contains two identical (XOR-ed) subcircuits, which are brought out to test points at the bottom side of the circuit board. The purchaser may thus verify the correct operation of these subcircuits at any point during the lifetime of the product.
The electromagnetic shield of a 'TW' analogue module is removable, and the inside of the unit may be examined (and manipulated, e.g., photographed, or filled with epoxy, etc.) by the owner. Given as the analogue module cannot be
deterministically tested, it falls upon the serious user to carefully study his particular set and determine that the units' physical composition corresponds to the supplied electrical schematic.
The analogue module performs no post-processing of any kind on the output, and stores no digital state. The quality of the output is optimal at room temperature and with a reasonably-clean power supply. The Modulator is equipped with a ferrite bead, filter caps, and an independent linear regulator for the CPLD and each of the two analogue 'TW' modules. The owner may, at his option, power a FUCKGOATS unit from a battery (power supply pins are clearly marked - but batteries / casings are not included).
The Modulator is a digital circuit which debiases the output of the analogue RNG modules and converts it to a form usable by the host machine (e.g., a PC-compatible.) Importantly, and quite unlike the ubiquitous rubbish "T"RNG units presently sold by a multitude of charlatans, the bitstream
is not whitened.
This so-called whitening is a pseudoscientific practice whereby the actual quality of a TRNG's output is masked by the 'perfume' of a 'mixing' function, whereby a defective or even wholly-dead generator will appear to function and pass statistical entropy tests by virtue of passing its output through a hash or stream cipher. Needless to say, such snake-oil may fool the naive operator and no one else - the use of this technique by
hostile elements embedded by the USG in the computing community provides ample evidence of the deliberate and Empire-serving nature of the fraud.
The foregoing notwithstanding, the owner of a FUCKGOATS unit is of course free to process his unit's output in whatever manner he likes before use - in particular the XOR-ing together of three or more independent FUCKGOATS operated from isolated power supplies can not possibly hurt anything.
That's nice and all, but can I verify any of it ?
A great question to ask, and one you should definitely ask more often. Yes, you can verify exactly all of it. In the case of FUCKGOATS, and of FUCKGOATS alone, you can. We've built it deliberately so it's as easy to audit
and modify as possible. Auditability by the end user happens to be a No Such lAbs core value.
Customization is your strongest defense against supply-line sabotage. When your setup is spitefully, unpredictably, arbitrarily
non-standard,
vermin die squealing under your unyielding boot.
The current FUCKGOATS Modulator is based on a Xilinx XC9572XL, a CPLD with 72 macrocells. This is a Flash-based device, and is sold to us "empty". The bitstream is loaded via JTAG pins. This introduces an obvious attack vector: an enemy with physical access to your device could with relative ease replace the bitstream with one of his own, and thereby sabotage your RNG. The pill against this is to obtain a compatible JTAG interface (not included with your FUCKGOATS purchase, but nevertheless an inexpensive and commonplace item available from many different suppliers) and verify the contents of the CPLD's Flash against the supplied original (or your personal variant!)
A "V-Genesis" source, bitstream, and electrical schematic package will be posted here when the first batch of units arrives from the factory, in early December 2016.
Alternatively, the enemy may at some point contrive to supply S.NSA with boobytrapped CPLDs, designed to fail under particular circumstances by emitting a prearranged bitstream in place of the desired TRNG stream. The pill against this scenario is the presence of a ready means of
deterministic test. It is for this reason that the Modulator is built to be trivially detachable from the analogue entropy gatherers.
As per FUCKGOATS design, a CPLD under audit has no way of knowing that it is connected to a test rig rather than to the set of analogue RNG modules it was sold with, and therefore the introduction of known waveforms into the analogue RNG module connectors must either cause the expected output to emerge from the modulator -- or else will unmask the boobytrapped (or failed -- nothing lasts forever) unit. The purchaser will be supplied with a Verilog testbench (suitable for use with the open source Icarus, and any similar system) ready to provide for precomputation of expected output given particular input waveforms.
Here's an alternative, and very simple means of auditing a Modulator :
-------------------------------------------------------------------------------
Figure 2. An example Audit Circuit.
-------------------------------------------------------------------------------
+---------+
|+-------+|
|| ||
||Cardano||
|| RNG ||
|| A ||
|| ||
|+-------+|
+---------+
| | |
| | +----------------+
| +-.--------------+ |
| | | | |
3 R G R G
V N N N N
3 G D G D
| | | | |
+---------+ +---------+
| | | |
| +----+ | | +----+ |
+-----------+ | |CPLD| | | |CPLD| |
| CP1202, |----5V-----| +----+ | | +----+ |--...
+----+ FT232, |----GND----| | | |--...
|USB or equiv. | | 'M' +-+ | | 'M' +-+ |
+----+ USB UART |<---RXD---<| 1 |J| | | 2 |J| |--...
| module |>---RST--->| |T| | | |T| |--RST
+-----------+ \ | |A| | | |A| | /
......| |G| |......| |G| |..
| +-+ | | +-+ |
+---------+ +---------+
| | | | |
G R 3 G R
N N V N N
D G 3 D G
| | | | |
+-.--------------+ |
| +-.--------------+
| | |
+---------+
|+-------+|
|| ||
||Cardano||
|| RNG ||
|| B ||
|| ||
|+-------+|
+---------+
------------------------------------------------------------------------------
Modulator (2) is hooked up in tandem to a known-good modulator (the Verilog circuit comprising the Modulator can be compiled for any brand of CPLD having the same or greater gate capacity) to the same set of known-good analogue RNG modules (or any other source of logic-level signal that could be substituted for testing purposes). An asynchronous reset (RST) signal (active-low) holds the Modulators in an inactive state, and when released, triggers a lockstep run. The TTL outputs of the two modulators must be equal (note that the streams will diverge naturally after several hours, if for no other reason than because of unavoidable manufacturing variations in the quartz oscillators).
The purchaser is encouraged to conceive of, and publish other audit methodologies. We're very much interested to hear as to your tests and their results - please
make contact in #trilema on Freenode.
How do I get my hands on a few of these ?
Click here to visit the S.NSA shop.
Please read the instructions and follow them
exactly ! Or you could
lose your coin! and we will not be able to help.
Can I buy these for Happy Non-Denominational Holiday Celebration ?
Certainly. Most people use computers, therefore most people would greatly benefit from the privacy enhancing power of a strong entropy generator. They don't even have to know what it is or how it works to benefit from its presence, buy it for them, gift it to them, install it for them and live happily ever after. It certainly beats anything Hallmark has to offer.
When will my order ship?
The first batch of FUCKGOATS is presently on schedule to leave the factory and enter QA testing in the first week of December 2016.
Please watch this page for updates!