[Cryptography] The Crypto Pi

ianG iang at iang.org
Mon Jan 26 08:07:39 EST 2015

On 25/01/2015 14:27 pm, Ben Laurie wrote:
> On 18 January 2015 at 14:50, Ralf Senderek <crypto at senderek.ie> wrote:

>> But there is a problem with the randomness source on the beagle bone.
>> I've monitored the state of the kernel's entropy pool via /proc and
>> found that if you read 10 Bytes from /dev/random the entropy level
>> drops by 52 bits. A short time later reading another 10 Bytes the beagle
>> blocks for 54 seconds. Reading 20 bytes for the first time removes
>> 116 bit of entropy from the pool and the second read blocks for nearly
>> 70 seconds. The beagle bone needs 143 seconds to recover and to add
>> a 100 bits of entropy back to the pool. There's no rngd running.
> I'm not sure what "removing bits from the pool" really means -
> extracting n bits from a pool does not, IMO, remove n bits, or even
> any large fraction of n, from the pool.

It's interesting isn't it.  This whole entropy accounting idea seems to 
be an implausible base for computing, and as a practical matter, in our 
field of endeavour, isn't required.  The notion of cryptographic 
security is sufficient.

The notion that removing a bit also removes a bit of entropy appears to 
be a "bound" argument.  You can't "remove a bit of entropy."  It's 
clearly not entropy once you touch it, and because output is protected 
by hashes, etc, there is also no clear mathematical relationship between 
the entropy pool and the output of the RNG.

If a bit of entropy is touched or relied upon, then adding in another 
bit certainly overwhelms any reduction that might be imagined.  But 
because entropy is expensive this one-bit-equality leads to unreliable 
design (blocking), so it's a missed opportunity.

Meanwhile, from a security & attack perspective, there is a slightly 
more compelling argument that an attacker can copy the state at time N 
and roll it forward.  The "replace entropy after use" argument seems to 
mitigate that attack nicely.

All of this has led me to change the design around.  In my current RNG I 
don't keep a central pool at all, just a mixer that demands fresh 
entropy as required from all collectors.  The major rule then is that 
the collectors aren't allowed to block at all, and it this is a problem 
for them, they have to keep a pool, or return nix;  their choice.


ps; talking about collecting entropy is fraught by definition.  We need 
a better language, but I guess we're stuck with it for now.  I like John 
Denker's version which is 'surprisal'.

More information about the cryptography mailing list