very high speed hardware RNG

Jon Callas jon at callas.org
Tue Dec 30 16:40:59 EST 2008 

>
> The thing that bothers me about this description is the too-easy  
> jump between "chaotic" and "random".  They're different concepts,  
> and chaotic doesn't imply random in a cryptographic sense:  It may  
> be possible to induce bias or even some degree of predictability in  
> a chaotic system by manipulating its environment.  I believe there  
> are also chaotic systems that are hard to predict in the forward  
> direction, but easy to run backwards, at least sometimes.
>
> That's not to say this system isn't good - it probably is - but just  
> saying its chaotic shouldn't be enough.
>

You are saying pretty much what I've been saying about this (and some  
other things).

We don't have a formal definition of what we mean by random. My  
definition is that it needs to be unguessable. If I have a random  
number and the work factor for you to guess it is more or less its  
randomness. It's a Shannonesque way of looking things, but not  
precisely information-theoretic.

A deterministic, but chaotic system that is sufficiently opaque gets  
pretty close to random. Let's just suppose that the model they give of  
photons bouncing in their laser is Newtonian. If there's enough going  
on in there, we can't model it effectively and it can be considered  
random because we can't know its outputs.

However, on top of that, there's a problem that hardware people  
(especially physicists) just don't get about useful randomness,  
especially cryptographic random variables. Dylan said that to live  
outside the law, you must be honest. A cryptographic random variable  
has to look a certain way, it has to be honest. It's got to be squeaky  
clean in many ways. A true random variable does not. A true random  
variable can decide that it'll be evenly distributed today, normal  
tomorrow, or perhaps Poisson -- the way we decide what restaurant to  
go to. No, no, not Italian; I had Italian for lunch.

That's why we cryptographers always run things through a lot of  
software. It's also why we want to see our hardware randomness, so we  
can correct for the freedom of the physical process. Imagine a die  
that is marked with a 1, four 4s, and a 5. This die is crap to play  
craps with, but we can still feed an RNG with it. We just need to know  
that it's not what it seems.

So yeah -- it's a glib confusion between chaotic and random, but  
chaotic enough might be good enough. And the assumption that hardware  
can just be used is bad. Hardware that helpfully whitens is worse.

	Jon

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list