[Cryptography] cheap sources of entropy

John Denker jsd at av8n.com
Thu Jan 30 00:36:39 EST 2014 

I wrote:
 
>> One well-calibrated well-defended well-monitored entropy source
>> makes incomparably more sense than an arbitrarily complicated
>> conglomeration of sucky sources.            [A]

On 01/29/2014 09:11 PM, dan at geer.org wrote:

> Recalibrating first principles for a moment, please.  My understanding
> is that a mix of N bit streams will be truly unpredictable if any 1 of
> the N bit streams is truly unpredictable.         [B]

Well, that's basically the right idea.  I will assume(*) that
by "mix" you mean something like a good cryptologic hash.

Let's explore the consequences:

As a corollary, if you have one truly completely unpredictable
input, the others don't help.  This is consistent with my
statement [A].

  If you want to talk about redundancy, we need to have a muuuuch
  more detailed discussion.  If you're serious, we would have
  to work out a full fault tree to check for correlated failures.

Conversely, there are a lot of people -- in this forum and
elsewhere -- who seem to think they can make a silk purse out 
of a sow's ear, if only they can get their hands on "enough" 
sow's ears.  There is nothing in statement [B] to support this 
approach.  Basic engineering principles and experience indicate 
that this is not, in fact, a viable approach.  This is consistent
with my statement [A].

  If you want to talk about combining multiple *good* entropy
  sources, we can do that.  However, any one of them would 
  serve as the basis for a proper HRNG.  Combining them just 
  improves the output rate, without changing the principle of
  the thing.  We are talking about multiple good, well-calibrated
  well-defended well-monitored sources.  All this is consistent
  with my statement [A].


> If that is incorrect, what am I missing? 

(*) Not meaning to derail the conversation, but there are lots
of "mix" functions, not all of which are suitable for this
application.  For example, if you /collate/ the inputs, the
output could very well be far from unpredictable, even if one
of the inputs is truly unpredictable.

Also, if you take two inputs, each of which /by itself/ is
completely unpredictable, bad things might happen if you "mix"
them using XOR, since they might be correlated.  Let's not even 
discuss foolish "mix" functions such as Boolean AND.

The thing I don't understand is why any of this should be
considered controversial.

More information about the cryptography mailing list