<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p><br>
</p>
<br>
<div class="moz-cite-prefix">On 7/21/16 8:06 AM, Tom Mitchell wrote:<br>
</div>
<blockquote
cite="mid:CAAMy4UTdJ9xZEgMOomFh640i+hTufT-X+ZvYSmX=SVc4oZzB3g@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote"><br>
<div><a moz-do-not-send="true"
href="http://imotp.sourceforge.net/noise.pdf">http://imotp.sourceforge.net/noise.pdf</a>
<--- interesting.</div>
<div> From the above link : "Transistor junction noise
provides a source of true random data that can </div>
<div> be sampled and
stored on a computer. However, this sampled data does not
contain 1 bit of entropy </div>
<div> per bit
of stored data. It is therefore necessary to post process
the data samples to distil the
existing </div>
<div> entropy into a smaller number of high entropy bits."</div>
<br>
</div>
</div>
</div>
</blockquote>
This isn't just a property of transistor noise. It's a property of
all digital samplings of physical processes in this universe.<br>
<br>
If you are building a circuit to convert sampled noise into bits,
you need to do entropy distillation/conditioning/extraction or
whatever it's called this week. I prefer distillation since it gets
at the essence of what's going on.<br>
<br>
Pinkas proved with a single source, no deterministic algorithm will
get you to 100% entropy, as in Hinf(X)=1, or stated more directly,
max_i(P(xi)=1) = 0.5.<br>
<br>
Dodis proves you can get close enough for crypto, but the guarantee
is a computational bound, not full entropy.<br>
<br>
You can get there with multiple independent sources, but where do
you find independent sources in this universe?<br>
<br>
For the practicing engineer, you can take advantage of multiple
sources and accept that while you can't prove they are independent,
you can assume they are independent enough that it's going to work.
The benefits being that the multiple input extractors can be simpler
with more clear proofs. We built one this way and as far as I know
it's the world's most efficient RNG (in bits/s/W and bit/s/m^2).
<a class="moz-txt-link-freetext" href="http://www.deadhat.com/papers/uRNG.pdf">http://www.deadhat.com/papers/uRNG.pdf</a><br>
<br>
I think it is an issue for crypto systems that people built physical
RNG noise sources without paying attention to extractor theory. The
two are tightly coupled disciplines.<br>
<br>
DJ<br>
<br>
<br>
<br>
</body>
</html>