[Cryptography] Entropy of a diode
David Johnston
dj at deadhat.com
Sun Jul 24 15:45:16 EDT 2016
On 7/21/16 8:06 AM, Tom Mitchell wrote:
>
> http://imotp.sourceforge.net/noise.pdf <--- interesting.
> From the above link : "Transistor junction noise provides a source
> of true random data that can
> be sampled and stored on a computer. However, this sampled data
> does not contain 1 bit of entropy
> per bit of stored data. It is therefore necessary to post process
> the data samples to distil the existing
> entropy into a smaller number of high entropy bits."
>
This isn't just a property of transistor noise. It's a property of all
digital samplings of physical processes in this universe.
If you are building a circuit to convert sampled noise into bits, you
need to do entropy distillation/conditioning/extraction or whatever it's
called this week. I prefer distillation since it gets at the essence of
what's going on.
Pinkas proved with a single source, no deterministic algorithm will get
you to 100% entropy, as in Hinf(X)=1, or stated more directly,
max_i(P(xi)=1) = 0.5.
Dodis proves you can get close enough for crypto, but the guarantee is a
computational bound, not full entropy.
You can get there with multiple independent sources, but where do you
find independent sources in this universe?
For the practicing engineer, you can take advantage of multiple sources
and accept that while you can't prove they are independent, you can
assume they are independent enough that it's going to work. The benefits
being that the multiple input extractors can be simpler with more clear
proofs. We built one this way and as far as I know it's the world's most
efficient RNG (in bits/s/W and bit/s/m^2).
http://www.deadhat.com/papers/uRNG.pdf
I think it is an issue for crypto systems that people built physical RNG
noise sources without paying attention to extractor theory. The two are
tightly coupled disciplines.
DJ
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20160724/1f696089/attachment.html>
More information about the cryptography
mailing list