[Cryptography] cheap sources of entropy

John Kelsey crypto.jmk at gmail.com
Thu Jan 30 20:46:15 EST 2014 

On Jan 30, 2014, at 8:09 PM, Theodore Ts'o <tytso at mit.edu> wrote:
...
> This is why there are those of us who believe that it is useful to
> pull in sources which might not be "truly unpredictable", but
> "unpredictable to an outside, remote attacker" according to some
> threat model.

Yes.  I think there is a combination of these two views that makes a lot of sense:  Have at least one entropy source that's either purpose-built (like the Intel source) or carefully designed and analyzed from off the shelf components (like Turbid).  And then, use that to seed your PRNG in a way that will be secure if that component's entropy estimate is correct.  But also fold in those outside sources, as much as you can get.  (Ideally, with some kind of entropy estimate so you can wait till you have 128 or 256 bits of entropy to start generating outputs.). 

Now, you get the combination that:

a.  If your purpose-built source is good, all is well.

b.  If not, your additional sources may still save the day.

One sideline of this:  If NSA or its Chinese equivalent slips a weakness into your purpose-built entropy source, they are unlikely to advertise this fact to the world.  So the entropy source may be quite secure to every attacker except them.  If they can't compromise your other sources of information, then you get secure random numbers, even if some other attacker knows those other sources.  (This is what I took to be James A Donald's point.). 
...

> I'll also note that we also don't need perfection; we just need to
> make it harder than other attack vectors.  The old joke of "I don't
> need to run faster than the bear, I just have to run faster than
> *you*" applies here.

That's true, but I think this is in general a solvable problem.  It may be beyond our abilities to get a big, complicated software system that is impossible to compromise, but we should be able to get a good random number generator, in the same way we should be able to get strong encryption, signatures, etc. 
...
> 
>                                          - Ted

--John

More information about the cryptography mailing list