[Cryptography] The ultimate random source

Bill Frantz frantz at pwpconsult.com
Fri Feb 21 18:38:23 EST 2014 

John, Thanks for emphasizing the need for careful analysis. Your 
points (originally at the end of your post) are quire valid:

>To summarize the main points:
>a) Cryptography requires attention to detail.
>b) There are a lot of things that can make the entropy less 
>than you guessed it was.
>c) The security of a RNG depends on having a reliable lower 
>bound on the entropy.  Guesses, estimates, and upper bounds do 
>not get
>the job done.
>d) Entropy is super-important, but it does not tell you everything
>you need to know.  It does not by itself solve all the world's
>problems.  Much depends on how the entropy is used.

I would quibble with point (c). If you have much more entropy 
than you need, the need for precision in estimating the lower 
bound is reduced. Having more than you need can make analysis 
tractable where analysis of a quantum source, such as radiation, 
Johnson noise -- pick your real source -- that only gave you 
just what you need is intractable because of the real-world 
engineering issues, such as hardware limits prevent achieving 
the precision you need.

I played with the M&Ns because the exact color and position is 
something that a camera has to do fairly well in order to pass 
muster as a camera. I don't have to worry about post-processing 
getting rid of all the noise, because any noise that comes thru 
is gravy and can only help a process that is already quite acceptable.

On 2/21/14 at 2:03 AM, jsd at av8n.com (John Denker) wrote:

>On Thu, 20 Feb 2014, Bill Frantz wrote:
>Now log(6^600) would not be a bad guess, and it serves as an 
>upper bound to this component of the entropy, but as a matter 
>of principle it's not the right thing.  It assumes that the 
>occupation of each
>site is independent, which surely isn't the case.  Look at it 
>this way:  The color of the final M&M is completely determined 
>by the state of the previous 599 M&Ms, so it contributes 
>exactly zero entropy.

It is more complex than that, and actually somewhat better. I 
used 18 3/8 ounces of M&Ms out of a 42 ounce bag. The color of 
the final M&M is not completely determined. (Computing this 
probability is where my statistics ran out.) However I have no 
reason to believe the M&Ms are evenly distributed between the 
colors, but the MK1A eyeball says it isn't too bad. (Actually 
counting them is above my pay scale.) Also we have the problem 
that we didn't really start with 42 ounces of M&Ms because some 
had been eaten. :-)


>A better estimate of the multiplicity is 600! / 100!^6 and upon
>taking the logarithm we find the entropy is approximately 1529 bits
>... about 22 bits less than the original guess.
>
>So this particularly obvious type of correlation makes only a 
>1.4% correction to the entropy.

Again, why we include a margin.


>On the third hand, if all you needed was 150 bits for seeding a
>CSPRNG, then 1529 is plenty, even if there are a few nonidealities

Seeding was my application. Also Phil was seeding. It is fairly 
obvious from the situation that whitening of the photo will be 
needed and seeding is a good way to whiten.


>On the fourth hand, there will be other types of correlation as 
>well, depending on as-yet unspecified details of the mixing 
>process.  You
>need to get a handle on this, to demonstrate that the fundamental
>front-end physics really is giving you some entropy.

If you want to do it right, put them in a lottery barrel and 
turn the crank for 5 minutes. :-) Even reaching into the bag 
with a hand and stirring them is "good enough" given the margin 
above the 128-512 bits needed for seeding.

I'm not sure there is any quantum physics based entropy here. 
What we do have is massive unguessability, unless an attacker 
can get a copy of the photo. At least we know what we have to 
guard, and how to check the full chain from M&Ms to CSPRNG for 
errors/failures etc. I have not seen how you check hardware 
sources, e.g the Intel one, for hardware failures.

Cheers - Bill


-----------------------------------------------------------------------
Bill Frantz        |Security, like correctness, is| Periwinkle
(408)356-8506      |not an add-on feature. - Attr-| 16345 
Englewood Ave
www.pwpconsult.com |ibuted to Andrew Tanenbaum    | Los Gatos, 
CA 95032

More information about the cryptography mailing list