building a true RNG
John S. Denker
jsd at monmouth.com
Thu Jul 25 11:45:20 EDT 2002
David Honig helped focus the discussion by advocating the
block diagram:
> Source --> Digitizer --> Simple hash --> Whitener (e.g., DES)
Let me slightly generalize this to:
! Source --> Digitizer --> hash --> Whitener (e.g., DES)
i.e. we defer the question of whether the hash is "simple" or not.
I continue to claim that
a) if the hash function happens to have a property I call "no
wasted entropy" then the whitening stage is superfluous (and
you may decide to classify the hash as "non-simple"); otherwise
b) if the hash function does not have that property, this
is a defective Random Symbol Generator and
b1) the whitener will _at best_ conceal, not remove the
defects, and
b2) this is not the best way to conceal defects. Very
definitely not.
To illustrate my point, I will accept David's example of a
simple-hash function; he wrote:
> Parity is the ultimate hash.
Well, then, suppose that the raw data coming off my digitizer
consists of an endless sequences of even-parity words. The
words have lots of variability, lots of entropy, but the parity
is always even. Then the output of the simple-hash is an endless
sequence of zeros. I encrypt this with DES. Maybe triple-DES.
It's not going to help. The generator is defective and doesn't
even have satisfactory error-concealment.
I like my design a lot better:
+ Source --> Digitizer --> good hash
where I have chosen SHA-1 as my hash function.
Finally, since SHA-1 is remarkably computationally efficient,
I don't understand the motivation to look for "simpler" hash
functions, especially if they are believed to require whitening
or other post-processing.
=================
Thanks again for the questions. This is a good discussion.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list