<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Fri, Jul 24, 2015 at 5:04 AM, Sebastian Gesemann <span dir="ltr"><<a href="mailto:s.gesemann@gmail.com" target="_blank">s.gesemann@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On Fri, Jul 24, 2015 at 3:20 AM, Bill Cox <<a href="mailto:waywardgeek@gmail.com">waywardgeek@gmail.com</a>> wrote:<br>
<span class="">> On Thu, Jul 23, 2015 at 2:48 PM, Krisztián Pintér wrote:<br>
>> use a small cryptographic sponge in duplex mode, for example<br>
>> keccak[200, r=8] reduced to 6 rounds. this sponge instance has 96 bit<br>
>> security, and requires only 25 bytes of memory. this is a very safe<br>
>> solution, although of course a magnitude slower than yours, and also<br>
>> needs a fair bit of code.<br>
><br>
</span><span class="">> Not a bad solution. I use 1600-bit Keccak to whiten the output of my<br>
> Infinite Noise TRNG. Works great :-)<br>
><br>
> Bill<br>
<br>
</span>Ok, 1600 = b = r + c. What's your choice of r and c for rate and<br>
capacity? What's a typical entropy estimate for your input bits? And<br>
do you use the full 24 rounds of Keccak-F[1600]?<br></blockquote><div><br></div><div>I use the full 24 rounds of KeccakF-1600. I absorb 512 bits at once, with 0.86 bits of average entropy per bit. This is computed from the gain around an op-amp. If K is the gain, then the entropy/bit is log2(K). In this case, I use K = 1.82. This results in cryptographically scrambling the state all at once. I squeeze 512*min(measuredEntropy, theoreticalEntropy/1.03) bits. It is fast compared to th 300K bits/second coming from my TRNG.</div><div><br></div><div>I also have an "outputMultiplier" parameter. If a user needs unpredictable pseudo-random data faster than my TRNG produces (around 240K bits/s of whitened data), then I simply squeeze 256*outputMultiplier bits for each 512 bits absorbed. This does not produce true random data, as there is far less than 1 bit of entropy per bit of output, but it is useful in some cases.</div><div><br></div><div>Bill<br></div></div></div></div>