[Cryptography] A TRNG Review Per Day: TrueRNG
Jerry Leichter
leichter at lrw.com
Wed Nov 12 14:21:09 EST 2014
On Nov 12, 2014, at 12:45 PM, Bill Cox <waywardgeek at gmail.com> wrote:
> ...However, a small correlation is OK. We can just subtract any measurable correlation from the estimated entropy per source.
It's not so simple. Correlation and entropy in an active attack environment don't play well.
Suppose you had source R1. I use R1 delayed by one bit as a second source R2. Any correlation between R1 and R2 is an autocorrelation at length 1 of R1 with itself - one of the things we would presumably check for to begin with, and it's something even fairly simple RNG's would be expected to attain. And yet if someone learns either R1 or R2, there is no randomness left. Also, the combined entropy had better be exactly that of R1 (or R2) or we could bootstrap arbitrarily high entropy out of any source by simply combining itself with itself at different lags. (Note that what I'm suggesting outputs bits at the same rate as R1. If you actually used two successive bits of R1 to generate one bit of output, you would have gained entropy per output bit.)
This is one of those situations (common in tests for RNG's) where if we *find* something (correlation), we know the RNG is bad; but if we fail to find it, we haven't really learned anything.
-- Jerry
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20141112/7a232acd/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4813 bytes
Desc: not available
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20141112/7a232acd/attachment.bin>
More information about the cryptography
mailing list