combining entropy
Jon Callas
jon at callas.org
Fri Oct 24 15:42:59 EDT 2008
On Sep 29, 2008, at 5:13 AM, IanG wrote:
> If I have N pools of entropy (all same size X) and I pool them
> together with XOR, is that as good as it gets?
>
> My assumptions are:
>
> * I trust no single source of Random Numbers.
> * I trust at least one source of all the sources.
> * no particular difficulty with lossy combination.
It's within epsilon for a good many epsilon.
I'm presuming you want the resultant size to be X, as well. Otherwise,
the suggestion that Ben has, concatenation is obviously better, and
you can solve obvious problems.
Another solution is to hash the N pools together with a suitably
secure function. (Most the available algorithms are suitably secure
for this purpose.) The downside of this is that you are capping your
entropy at the size of the hash function. It's better than XOR because
it's not linear, blah, blah, blah.
However, if you had three pools, each relatively large, it doesn't
hurt anything to XOR them together. It's pretty easy to prove that the
result does not decrease entropy, but I think it's impossible to prove
that it increases it. XORing is really taking the max of the N pools.
You have to realize that XOR is bad if there's a chance to leak the
entropy pool, XOR is a bad function. If whoever produced pool X sees
X^Y, then they know Y. But you know that, too.
Jon
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list