Status: First Cut.
The market for RNGs is dead. We need a Quick and Dirty RNG, and a marketing approach to seed it.
See the following:
To state the requirements for
a simple, easy to build and easy to market hardware RNG.
must be cheap
must be trivial to use
must be fun to buy and use
PC interfaces, especially USB.
Must be capable of being implemented in few circuitry components. A constructed or sold product needs to be in the "opportunistic purchasing" range.
The requirement is to seed the bottom of the market and make use of RNGs routine. Those that need better quality can pay.
The security world has traditionally focused on "perfect quality" and "no known risks." Sometimes known as "no-risk security." This is bogus and has resulted in massive losses.
The more appropriate approach is risk based, opportunistic design. That is, use what you have available, compromise on what is not available.
The market for RNGs now is basically flat. This means that we are comparing not the market for those expensive quality ones, but the market where none are in use at all. So, providing something is better than nothing
This literally means we don't mind if their are flaws in the output. As long as it is better -- hopefully much better -- than nothing.
The interface should be usable by any software without the need for drivers, etc.
Getting drivers out there is too costly.
Ideally, a "drive" interface and then we can use cat(1) to read.
The device should be made with some other popular product.
Chicken & Egg. Nobody buys RNGs because nobody needs them because the software doesn't use them.
In order to sell them we would want to instead sell something else, and provide the RNG for free.
Hence, a 1G memory stick / pen with an RNG included. Alternatively, a USB hub with an RNG included (the ASIC design may make this easier.)
The device should be made according to an open source design.
In order to assess the quality of the RNs, the design must be auditable.
RNGs that are inscrutable are generally mistrusted by many. The opinion leaders look down on anything they can't get into, which leads to widespread rejection of many things. /. is the standard.
Adding to this, there is no reason why it can't be self-constructable. Those who want to do that will do so, but they are a tiny minority; most will prefer to buy, trusting the opinion of the opinion leaders, and purchasing "cool" on the market.
These following are not required but are often features in other systems. They are explicitly listed as such so as to describe the rationale for not requiring them.
Passing DIEHARD or MUST tests is not required.
Most software systems will mix in different pools of generators and thus do the cleaning up themselves.
Also, we need somethign quick and dirty.
Something is better than nothing, which is the status quo. Later on, if it works, add that stuff.