combining entropy

John Denker jsd at
Fri Oct 24 18:20:24 EDT 2008

On 10/24/2008 01:12 PM, Jack Lloyd wrote:

> .... is a very different statement from saying that
> lacking such an attacker, you can safely assume your 'pools of
> entropy' (to quote the original question) are independent in the
> information-theoretic sense.

The question, according to the original poster, is not 
whether it is "safe" to assume that one of the entropy
sources can be trusted.  Safe or not, the question explicitly 
assumed that one of the sources was trusted ... and asked 
what the consequences of that assumption would be.

In particular, evidently the scenario was that we started
with N high-entropy randomness generators, but N-1 of
them have failed.  One of them is still working, but we
don't know which one.

In that scenario, XOR is a good-enough combining function,
and nothing else would be any better.

If somebody wants to discuss a different scenario, please
clarify what the new scenario is.

Suggesting that the "trusted" source is correlated with one
of the other sources is quite contrary to the requirements
expressed in the original question.

That is to say, if the source is not independent, it was
never eligible to be a trusted entropy source.

If you want to quantify this, write down the _joint_ probability
distribution for all the sources, and calculate the entropy
of that distribution in the usual way.

1) There is _one_ very precise meaning for "entropy" that is 
well-established and conventional across a wide range of 
fields ... everything from kitchen appliances to cosmology.

2) Authors are allowed to define and redefine terms however
they please ... _provided_ they define any nonstandard terms
that they use.  Anybody who takes a well-established standard
term and uses it in a nonstandard way has a double-extra-special
duty to explain what he's doing.

I assume the original poster was using the term "entropy"
in the conventional, precise sense ... and until I hear
otherwise I will continue to do so.

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list