<div dir="ltr"><br><br><div class="gmail_quote"><div dir="ltr">On Thu, 23 Jul 2015 at 04:57 Rob Seward <<a href="mailto:robseward@gmail.com">robseward@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>
<div style="font-family:'Helvetica Neue';font-size:14px">
<div>
<div>Hi,
</div><div>I’m trying to whiten a random noise source (a reverse biased transistor) with a low-powered microprocessor. I figured out a technique that seems to work well, and I want to know if there is anything insecure or subpar about it.
</div><div><br></div><div>(Earlier, I had heard that XORing a random stream with alternating 0s and 1s could remove bias. However, this strikes me as very insecure, because an attacker could reverse the mask by XORing the mixed stream with the same 01 mask. Also, I had used the <a href="https://en.wikipedia.org/wiki/Hardware_random_number_generator#Software_whitening" target="_blank">Von Neumann algorithm</a>, but this slows output significantly.)
</div><div><br></div><div>The algorithm mixes new bytes derived from the noise source with previous ones in an overlapping manner. Below is the source code, and a link to an illustration of the process.
</div><div><br></div><div>I’ve done some testing, and it appears to transform data that shows as much as 5% bias to ~0% while passing <span style="font-family:'Andale Mono'">ent</span> chi-square. Some less rigorous testing with NIST also had positive results.
</div><div><br></div><div>Here’s an illustration of what the algorithm is doing:
</div><div><a href="http://imgur.com/itLWNyf" target="_blank">http://imgur.com/itLWNyf</a></div><div><br></div><div><span style="font-family:'Andale Mono'">void loop(){</span></div><div><span style="font-family:'Andale Mono'"> currentByte = readByteFromSource()</span></div><div><span style="font-family:'Andale Mono'"><br></span></div><div> <span style="font-family:'Andale Mono'">mixedByte1 = currentByte ^ previousByte;</span>
</div><div><span style="font-family:'Andale Mono'"> mixedByte2 = mixedByte1 ^</span> <span style="font-family:'Andale Mono'">previousMixedByte1</span><span style="font-family:'Andale Mono'">;</span>
</div><div><div><span style="font-family:'Andale Mono'"> mixedByte3 = mixedByte2 ^ previousMixedByte2;</span></div><div><span style="font-family:'Andale Mono'"> mixedByte4 = mixedByte3 ^ previousMixedByte3;</span></div></div><div><span style="font-family:'Andale Mono'"> outByte = mixedByte4 ^ previousMixedByte4;</span></div><div><span style="font-family:'Andale Mono'"><br></span></div><div><span style="font-family:'Andale Mono'"> Serial.write(outByte);</span></div><div><span style="font-family:'Andale Mono'"> </span></div><div><span style="font-family:'Andale Mono'"> previousByte = currentByte;</span></div><div><span style="font-family:'Andale Mono'"> previousMixedByte1 = mixedByte1;</span></div><div><span style="font-family:'Andale Mono'"> previousMixedByte2 = mixedByte2;</span></div><div><span style="font-family:'Andale Mono'"> previousMixedByte3 = mixedByte3;</span></div><div><span style="font-family:'Andale Mono'"> previousMixedByte4 = mixedByte4; <br></span></div><div><span style="font-family:'Andale Mono'">}</span></div></div></div></div></div></blockquote><div><br></div><div>The repeated XORs make this mildly fishy. For example, if we assume everything is initialised to 0, then the first byte output is B0, and all the state bytes are also set to B0.</div><div><br></div><div>The second byte out, therefore, is B0 ^ B1, and pmb1 = pmb3 = B0 ^ B1, pmb2 = pmb4 = B1.</div><div><br></div><div>Third byte out is B2 ^ B1 and pmb1 = B1 ^ B2, pmb2 = B2 ^ B0, pmb3 = B2 ^ B1 ^ B0, pmb4 = B2.</div><div><br></div><div>In other words, I don't think this is doing what you think its doing.</div><div><br></div><div>Addition (with carry bit recycled?) might be a better choice.</div><div><br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div style="font-family:'Helvetica Neue';font-size:14px"><div><div><span style="font-family:'Andale Mono'"><br></span></div><div></div></div><div></div></div></div></div>
_______________________________________________<br>
The cryptography mailing list<br>
<a href="mailto:cryptography@metzdowd.com" target="_blank">cryptography@metzdowd.com</a><br>
<a href="http://www.metzdowd.com/mailman/listinfo/cryptography" rel="noreferrer" target="_blank">http://www.metzdowd.com/mailman/listinfo/cryptography</a></blockquote></div></div>