building a true RNG
John S. Denker
jsd at monmouth.com
Sat Jul 27 13:52:34 EDT 2002
I wrote:
> > a) if the hash function happens to have a property I call "no
> >wasted entropy" then the whitening stage is superfluous (and
> >you may decide to classify the hash as "non-simple");
David Honig responded:
> Not wasting entropy does not mean that a function's output
> is "white" ie uniformly distributed. E.g., a function
> which doubles every bit: 0->00, 1->11 preserves total
> entropy but does not produce uniformly distributed output.
> (It also reduces entropy/symbol.)
That's a red-herring tangent. I'm not talking about any old
function that doesn't waste entropy; I'm talking about a
!!hash!! function that doesn't waste entropy. The hash function
has a hard constraint on the word-size of its output. If it
starts doubling bits, or otherwise putting out redundancies,
then it is wasting entropy. See the discussion of the BADHASH-2
function in the paper.
http://www.monmouth.com/~jsd/turbid/
And remember: in addition to having a non-entropy-wasting hash
function, we are also required to saturate its input. Then we can
conclude that the output is white to a very high degree, as
quantitatively discussed in the paper.
> The simple-hash's --lets call it a digest-- function is to increase the
> entropy/symbol
> by *reducing* the number of symbols while preserving *total* entropy.
Total entropy is preserved in the non-saturated regime. This is
documented in upper rows of the table:
http://www.monmouth.com/~jsd/turbid/paper/turbid.htm#tab-saturation
In the saturated regime, some entropy is necessarily lost. This is
documented in the lower rows of the table. This is only a small
percentage, but it is mandatory. I don't consider this to be "wasted"
entropy; I consider it entropy well spent. That is, these are
necessary hash collisions, as opposed to unnecessary ones.
> A function like xor(bit N, bit N+1) which halves the number of bits
> can do this. While its output is whiter than its input, its output
> will not be perfectly white unless its input was.
See the discussion of BADHASH-1 in the paper.
> Two scenarios where SHA is contraindicated came up:
> 1. hardware
> 2. interrupt handlers
>
> Sometimes a hardware RNG will feed raw data into a crypto-WEAK analogue of
> SHA,
> ie a LFSR which does the bit-reduction and mixing functions,
> but doesn't mix as well as SHA. (LFSR are hardware-friendly) Separating
> the bit-reduction from the mixing can be useful for analyzing what's
> really going on.
Well, I tend to agree that systems that separate the bit-reduction
from the mixing are easier to analyze, in the sense that it is
easier to find flaws in them. But that's because they're so flawed!
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list