[Cryptography] cheap sources of entropy

John Denker jsd at av8n.com
Mon Jan 20 16:38:19 EST 2014


On 01/20/2014 01:55 PM, Jerry Leichter wrote:
> If I had a *choice* between a carefully implemented physical circuit 
> based on shot noise or some similar well-understood source of "core 
> randomness" or something fairly ad hoc based on sensors and human 
> interaction, *of course* I would choose the former. 

OK.

>  But that may
> not be available.  Still, the latter isn't bad, even if the actual 
> randomness available can't be as easily quantified.

I still claim it is worth quantifying things as much as you
can.  The calculation is not that hard to do, and it tells you
things you wouldn't otherwise know. 

It tells you that if you are using an accelerometer to capture
the human interaction, the physics of the sensor is a better 
source of entropy than the human is.  More specifically, it
tells you that choosing a sensor with more gain and/or more 
bandwidth buys you a lot more than any amount of wild arm-waving.
The arm-waving increases the amount of squish, but it does not
appreciably increase the amount of hard-core entropy.

> A sound field in a complex natural environment, if looked at to high
> precision, is extremely variable from place to place and from moment
> to moment.

Given a high-precision microphone preamp, it provides better 
randomness if the input is open-circuited, rather than attached
to an actual microphone, no matter how "complex" the acoustic
environment is ... and it continues to work even in non-complex 
environments.

> firing of multiple nerve cells triggering multiple muscle cells

That suffers from the fact that the bandwidth is not large.
The mass of the arm produces a low-pass filter, in accordance
with Newton's second law of motion.  If you did the calculation, 
you would notice this immediately.

If you don't know how to do the calculation, that does not
give you a license to just give up.  If you don't know how 
to do the calculation, collaborate with somebody who does.



On 01/20/2014 12:50 PM, Krisztián Pintér wrote:
> theoretically and strictly speaking, there is no such thing as lower
> bound on entropy.

Nonsense.

> we can only put upper bounds

Speak for yourself, Kemosabe.

The fact is:
  a) Statistical tests provide only upper bounds.
  b) Security depends on establishing a lower bound.
  c) Under reasonable conditions, physics can provide 
   the required lower bound.

> if the world is deterministic, entropy is pretty hard to even
> interpret.

Petitio principii is not an acceptable substitute for actual
evidence.

The world I live in is not deterministic.  This is required
by the laws of thermodynamics, not to mention quantum mechanics.

Computers are deterministic, to a good-enough approximation,
because engineers go to a lot of trouble to make them so.

Everyone should please refrain from assuming that the real
world works the same way a computer does.  Specifically:
Any Turing-computable model of the universe would be at best
a hidden-variable theory.  It appears that any such theory
that is subject to relativistic causality would violate the 
laws of quantum mechanics in general, and the Bell inequalities
in particular.

So what's the deal?  Are you assuming everything we know 
about QM is wrong, or everything we know about relativity
is wrong?  Do you have any actual evidence?

> we always talk about the entropy as seen by some specific observer

That would be the /conditional entropy/.  That is related
to conditional probability in the same way that entropy
is related to probability.

A good TRNG produces unconditional entropy.  I could not
predict the output of my own TRNG even if I wanted to.

> you can hardly say anything looking at the data.

Statistical tests on the RNG output (or the raw sensor
data) can provide upper bounds on the entropy.  This is 
sometimes interesting, but it is nowhere near sufficient 
for building a secure system.

> if a scientist comes up with a better model of handwaving or a better
> model of how noise on a video camera works, the effective entropy
> drops.

Not necessarily, unless you plan on violating basic, long-
established laws of physics.

As James Randi is fond of saying:  Extraordinary claims require 
extraordinary proof.  I haven't seen any proof -- or indeed any
evidence -- that any "better model" can remove Johnson noise
from a signal.


More information about the cryptography mailing list