building a true RNG

[John S. Denker]

David Honig helped focus the discussion by advocating the 
block diagram:

> Source --> Digitizer --> Simple hash --> Whitener (e.g., DES)

Let me slightly generalize this to:
! Source --> Digitizer --> hash --> Whitener (e.g., DES)

i.e. we defer the question of whether the hash is "simple" or not.

I continue to claim that
 a) if the hash function happens to have a property I call "no 
wasted entropy" then the whitening stage is superfluous (and
you may decide to classify the hash as "non-simple");  otherwise
 b) if the hash function does not have that property, this
is a defective Random Symbol Generator and 
  b1) the whitener will _at best_ conceal, not remove the 
      defects, and
  b2) this is not the best way to conceal defects.  Very
      definitely not.

To illustrate my point, I will accept David's example of a
simple-hash function;  he wrote:
> Parity is the ultimate hash.

Well, then, suppose that the raw data coming off my digitizer
consists of an endless sequences of even-parity words.  The
words have lots of variability, lots of entropy, but the parity
is always even.  Then the output of the simple-hash is an endless 
sequence of zeros.  I encrypt this with DES.  Maybe triple-DES.  
It's not going to help.  The generator is defective and doesn't 
even have satisfactory error-concealment.

I like my design a lot better:

+ Source --> Digitizer --> good hash

where I have chosen SHA-1 as my hash function.  

Finally, since SHA-1 is remarkably computationally efficient,
I don't understand the motivation to look for "simpler" hash
functions, especially if they are believed to require whitening
or other post-processing.

=================

Thanks again for the questions.  This is a good discussion.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com