[Cryptography] Is Ron right on randomness

Ron Garret ron at flownet.com
Thu Nov 24 06:22:02 EST 2016

On Nov 24, 2016, at 12:28 AM, Bill Cox <waywardgeek at gmail.com> wrote:

> On Wed, Nov 23, 2016 at 7:26 PM, Ron Garret <ron at flownet.com> wrote:
> On Nov 23, 2016, at 2:15 PM, Carl Ellison <cme at acm.org> wrote:
> As to “how do you do it”, that is ultimately a judgement call that you have to make based on your risk posture and the totality of the circumstances.  But my baseline recommendation if you want to be exceptionally paranoid is to make an audio recording of some white-ish noise (e.g. record yourself saying “Shhh”) and then extract 1% or 0.1% of the result.  Of course, you have to do this in a secure environment.  An attacker is vastly more likely to compromise you by obtaining a copy of this recording than because it didn’t contain enough entropy.
> I prefer randomness from a source that has a solid physical model and a way to measure that it is performing according to that model.  There are several TRNGs that accomplish this, and many that don't (such as zener noise).
> For your example, I agree it would work fine.  However, it would be hard to characterize the entropy in a recording of "Shhh".  I look at a lot of recordings of sound (I wrote libsonic to speed up speech).  Even in recordings of "shhh", generally the next point can be predicted with more accuracy than I would have thought if I had not looked at the waveforms.  There is a surprising amount of non-randomness.  There's nothing wrong with going for thermal noise instead.

I agree 100%.  The “Shh” example is meant more as an illustration of how simple a solution to the problem can be than a serious suggestion for production use, though it would in fact work, you would just want to choose a high safety factor.  A typical audio input samples at >500 kbps, so one second of audio with a safety factor of 1000 will give you 500 bits of entropy.  That’s a pretty comfortable margin IMHO, but if you don’t agree, I’ll be happy to sell you an HSM with a HWRNG for $75.  Under no circumstances should anyone be paying more than that.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20161124/d3acbb7e/attachment.html>

More information about the cryptography mailing list