[Cryptography] cheap sources of entropy

Bill Frantz frantz at pwpconsult.com
Tue Jan 21 17:27:49 EST 2014 

On 1/21/14 at 12:18 PM, jsd at av8n.com (John Denker) wrote:

>My point is that it makes more sense to have one or two
>properly-calibrated well-defended entropy sources than
>some vast number of "sources" that might produce entropy
>or might not.

I am going to assume that John means hardware sources here.

Now I contend that as a sound engineering principle, any 
hardware device that is being relied on for important functions 
-- life support, security, etc. -- must be regularly tested for functionality.


On 1/20/14 at 1:38 PM, jsd at av8n.com (John Denker) wrote:

>It tells you that if you are using an accelerometer to capture
>the human interaction, the physics of the sensor is a better 
>source of entropy than the human is.

...

>Given a high-precision microphone preamp, it provides better 
>randomness if the input is open-circuited, rather than attached
>to an actual microphone, no matter how "complex" the acoustic
>environment is ... and it continues to work even in non-complex environments.

It seems to me if we are fortunate enough to have a large number 
of sources, like on a smart phone, we should use them all. (My 
phone has at least: 2 radio receivers (GPS + cell), 
accelerometer, compass, microphone, 2 cameras). We don't have to 
add extra hardware. We just have to characterize the hardware we 
already have.

There are a at least two reasons why this is the best approach:

   * The user regularly tests the hardware and gets it repaired 
when it fails,

   * The bean counters don't have to pay for extra hardware.

Most of the characterizable entropy comes from things like 
thermal noise in the amplifiers and band noise in the radios. 
(However, the bands used by cell phone receivers are 
characterized by relatively low noise.) The rest is what John 
calls "squishy", however we'll mix it in anyway.

If we add hardware to open the input to e.g. the microphone and 
cameras, then we run the risk of having it fail in a way that 
destroys the entropy, so we want to characterize things with 
everything in place. No extra hardware keeps the bean counters 
happier too.

Having dedicated hardware for randomness is strictly worse 
because we don't have any good tests that show it is still working.

Almost any approach is critically dependent on the mixing 
function. I have always assumed that secure hash functions work 
well in this application, but I don't know of any proof.

Cheers - Bill



-----------------------------------------------------------------------
Bill Frantz        |The nice thing about standards| Periwinkle
(408)356-8506      |is there are so many to choose| 16345 
Englewood Ave
www.pwpconsult.com |from.   - Andrew Tanenbaum    | Los Gatos, 
CA 95032

More information about the cryptography mailing list