[Cryptography] Entropy is forever ...
dj at deadhat.com
dj at deadhat.com
Fri Apr 24 15:06:22 EDT 2015
>Another perspective perspective is to break down the analysis in two steps:
>
>1) You need the lessons from physicists before the digitizing sensor for
>the real world random process on which the hardware RNG relies.
Also analog circuit experts. A physicist can do a good job of the min-entropy
math, but a poor job of understanding how to make a production circuit
robust over a production PVT envelope, and manufacturable and testable.
I've been through this with physicists, cryptographers and analog experts
with the entropy source designs for my RNGs. Entropy source design is
necessarily a team effort.
>2) After the digital samples (numeric values) are taken, the system
>analysis turns to the Shanon information theory (and refinements like
>the Rényi entropy) with its limited definition of entropy.
The proofs for most extractors define a required min-entropy (as in Hinf(X))
at their inputs. 0.5 is a common barrier below which you cannot go,
except that multiple input extractors can get you from below 0.5 to
above 0.5. So min-entropy lower bound testing is my primary concern
with data analysis from entropy sources. There also stationarity
testing which is a whole different problem.
>In the second step, the (information theory) entropy assessment of a
>PRNG seed is derived from the analysis in the first step (a
>characterization of the random data source). This analysis is
>(typically, necessarily?) out-of-band of the data flow.
Yes. You can't do min-entropy testing online. Online testing must be
testing for a known failure mode. Success looks like any and all
random strings. You can't test for that. You can test for a high
confidence of the data looking like what you would get from a broken
source.
>Despite the inter-relationships between the two steps, breaking down the
>analysis in two steps helps simple minded persons like me.
And in practice too. The testing you do against the output of the entropy
source is not the same as the testing against the output of the
conditioner which in turn isn't the same as the testing at the output of a
CSPRNG. These things sit in a chain and you test them all online and
offline in a decent RNG. It's a pretty complex logic design challenge, at
least it seemed that way before I did it, which was a lot of work. I know
how to do it now, so it's not so hard.
More information about the cryptography
mailing list