[Cryptography] Whitening Algorithm

Bill Cox waywardgeek at gmail.com
Fri Jul 24 14:15:04 EDT 2015

On Fri, Jul 24, 2015 at 5:04 AM, Sebastian Gesemann <s.gesemann at gmail.com>

> On Fri, Jul 24, 2015 at 3:20 AM, Bill Cox <waywardgeek at gmail.com> wrote:
> > On Thu, Jul 23, 2015 at 2:48 PM, Krisztián Pintér wrote:
> >> use a small cryptographic sponge in duplex mode, for example
> >> keccak[200, r=8] reduced to 6 rounds. this sponge instance has 96 bit
> >> security, and requires only 25 bytes of memory. this is a very safe
> >> solution, although of course a magnitude slower than yours, and also
> >> needs a fair bit of code.
> >
> > Not a bad solution.  I use 1600-bit Keccak to whiten the output of my
> > Infinite Noise TRNG.  Works great :-)
> >
> > Bill
> Ok, 1600 = b = r + c. What's your choice of r and c for rate and
> capacity? What's a typical entropy estimate for your input bits? And
> do you use the full 24 rounds of Keccak-F[1600]?

I use the full 24 rounds of KeccakF-1600.  I absorb 512 bits at once, with
0.86 bits of average entropy per bit.  This is computed from the gain
around an op-amp.  If K is the gain, then the entropy/bit is log2(K).  In
this case, I use K = 1.82.  This results in cryptographically scrambling
the state all at once.  I squeeze 512*min(measuredEntropy,
theoreticalEntropy/1.03) bits.  It is fast compared to th 300K bits/second
coming from my TRNG.

I also have an "outputMultiplier" parameter.  If a user needs unpredictable
pseudo-random data faster than my TRNG produces (around 240K bits/s of
whitened data), then I simply squeeze 256*outputMultiplier bits for each
512 bits absorbed.  This does not produce true random data, as there is far
less than 1 bit of entropy per bit of output, but it is useful in some

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150724/8eb41bfb/attachment.html>

More information about the cryptography mailing list