Tries to seed an AES-CTR based PRNG using the TRNG, RTC, SysTick and ADC.

It is not really a CSPRNG as revealing its state allows to compute all previous outputs (it has no forward secrecy). It also is only good up to a limited amount of randomness after seeding it. Fortuna for example does not use more than 1 MiB without reseeding such a construct. I guess that limit is set very conservative though.

I guess these two limitations (no forward secrecy and only a limited amount of strong randomness) is acceptable for us. Calls to the RNG seem to be very few and the device is usually power cycled often in comparison.

Seeding is done via a SHA256 over the following data:

• 256x 16 bytes from the TRNG. Amount of entropy is unknown.
• The current second and subsecond values from the RTC.
• Current value of the SysTick.
• 256x a 10 bit ADC reading. Maybe 1 bit of entropy per reading.

CSPRNG: https://en.wikipedia.org/wiki/Cryptographically_secure_pseudorandom_number_generator

FORTUNA: https://en.wikipedia.org/wiki/Fortuna_(PRNG)

Other potential options for a CSPRNG:

• https://github.com/smuellerDD/chacha20_drng
• https://www.silabs.com/documents/public/application-notes/AN0806.pdf