[Cryptography] cheap sources of entropy

Jerry Leichter leichter at lrw.com
Mon Jan 20 15:55:43 EST 2014 

On Jan 20, 2014, at 1:59 PM, John Denker <jsd at av8n.com> wrote:
>> Getting quality random bits when you have (a) almost any kind of
>> high-rate real-world sensor and (b) a human being willing to help is
>> an easy problem.  Any modern cellphone can provide tons of randomness
>> if a person moves it around, talks to it, waves his hands around in
>> front of it.
> 
> That is not the smart way to think about it....
I have no problem with Turbid and with the general notion of getting randomness from good physical sources.  But you missed the point of my message entirely.

We keep coming back to discussions of randomness generators in general, and being side-tracked by focusing on generators in "easy" situations.  Situations where you can add hardware and software to do something like Turbid are easy.  (It's not that about whether *Turbid* is easy, it's about what you can do given that you already have it.)  Situations like the one I mentioned above are also easy.

Perhaps it would be better to get away from "randomness" and talk about "unpredictability".  Yes, I consider the inputs from a bunch of sensors in a cell phone being swung around by a human being to be unpredictable.  Even to someone who has no access to the cellphone but does have several high-quality sight and sound recordings of the event.  All the processes in play are noisy and have large chaotic components.  A sound field in a complex natural environment, if looked at to high precision, is extremely variable from place to place and from moment to moment.  Sure, you can get the general field pretty precisely - but knowing whether the bottom bit of output from a sensitive A/D converter is set at any particular sampling time (which you don't know exactly either) - no.  Human motion is governed by the firing of multiple nerve cells triggering multiple muscle cells, subject to multiple layers of neural control, all interacting in complicated ways with feedback from sensors of internal and external state.  Even the most practiced of movements vary in unpredictable ways when repeated and measured to the kind of accuracy that you can easily get from cell phone sensors.  And you know ... some of the variation in neural behavior is due to exactly the kind of quantum noise down at the synaptic level that you're basing Turbid on.  A real neuron isn't the same as the neurons we use for nice CS examples - it's much more complicated.

If I had a *choice* between a carefully implemented physical circuit based on shot noise or some similar well-understood source of "core randomness" or something fairly ad hoc based on sensors and human interaction, *of course* I would choose the former.  But that may not be available.  Still, the latter isn't bad, even if the actual randomness available can't be as easily quantified.

Very few things in the real world are subject to proof in any mathematical sense.  No one can compute the strength of steel beams from first principles; we measure the strengths of materials in particular quantities, configurations, at particular temperatures and other real word conditions, make tables, and go from there.  Even then, exact computation of the dynamic forces - often even the static forces - present on the beams in a building are way beyond our capabilities.  We make approximations, and we add a safety factor just in case.  Still - buildings and bridges and such stay up and behave as predicted, for the most part.

I contend that I can build a system of the sort I described and have sufficient confidence in the unpredictability of the values, and of their range ("entropy", if you like - I find that word so often misused in cryptographic discussions that I try to avoid it), that I'd have no qualms using it as a source of "randomness" for pretty much any purpose.

Would I *prefer* to have a Turbid-style generator to mix the values up with?Absolutely, but I can live without it if I have to.  (Why "mix it up"?  Because you can prove all you like about the *design*, but you can prove absolutely nothing about the *physical artifact* I have sitting on the desk in front of me. That thing over there is *supposed* to be just a 47K resistor; and that's *supposed* to be a plain USB connector.  But can you know for sure?)

                                                        -- Jerry

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4813 bytes
Desc: not available
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140120/bca1c8ba/attachment.bin>

More information about the cryptography mailing list