[Cryptography] Whitening Algorithm
Bill Cox
waywardgeek at gmail.com
Fri Jul 24 14:15:04 EDT 2015
On Fri, Jul 24, 2015 at 5:04 AM, Sebastian Gesemann <s.gesemann at gmail.com>
wrote:
> On Fri, Jul 24, 2015 at 3:20 AM, Bill Cox <waywardgeek at gmail.com> wrote:
> > On Thu, Jul 23, 2015 at 2:48 PM, Krisztián Pintér wrote:
> >> use a small cryptographic sponge in duplex mode, for example
> >> keccak[200, r=8] reduced to 6 rounds. this sponge instance has 96 bit
> >> security, and requires only 25 bytes of memory. this is a very safe
> >> solution, although of course a magnitude slower than yours, and also
> >> needs a fair bit of code.
> >
> > Not a bad solution. I use 1600-bit Keccak to whiten the output of my
> > Infinite Noise TRNG. Works great :-)
> >
> > Bill
>
> Ok, 1600 = b = r + c. What's your choice of r and c for rate and
> capacity? What's a typical entropy estimate for your input bits? And
> do you use the full 24 rounds of Keccak-F[1600]?
>
I use the full 24 rounds of KeccakF-1600. I absorb 512 bits at once, with
0.86 bits of average entropy per bit. This is computed from the gain
around an op-amp. If K is the gain, then the entropy/bit is log2(K). In
this case, I use K = 1.82. This results in cryptographically scrambling
the state all at once. I squeeze 512*min(measuredEntropy,
theoreticalEntropy/1.03) bits. It is fast compared to th 300K bits/second
coming from my TRNG.
I also have an "outputMultiplier" parameter. If a user needs unpredictable
pseudo-random data faster than my TRNG produces (around 240K bits/s of
whitened data), then I simply squeeze 256*outputMultiplier bits for each
512 bits absorbed. This does not produce true random data, as there is far
less than 1 bit of entropy per bit of output, but it is useful in some
cases.
Bill
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150724/8eb41bfb/attachment.html>
More information about the cryptography
mailing list