[Cryptography] Is Ron right on randomness

Ron Garret ron at flownet.com
Sat Nov 26 06:44:17 EST 2016

On Nov 25, 2016, at 8:15 PM, dj at deadhat.com wrote:

>>>> Everything that matters about randomness can be summarized in four
>>>> bullet points:
>>>> 1. You need two things: an entropy source, and a whitener. No entropy
>>>> source is perfect, so you need a whitener no matter what. You don't
>>>> have to
>>>> do anything fancy in your whitener. Any cryptographically secure hash
>>>> function (like SHA512) will do.
>>>> 2. Since you need a whitener no matter what, it doesn't really matter
>>>> how
>>>> good your entropy source is, except insofar as it might take a long
>>>> time to
>>>> collect enough entropy from a very poor source. All that matters is
>>>> that you
>>>> have an accurate lower bound for how much entropy your source actually
>>>> provides, and this is the case no matter how good (or bad) your source
>>>> actually is. As long as you feed >N bits of entropy into your whitener,
>>>> you can
>>>> safely extract N bits of true randomness out of it.
>>>> 3. You don't need more than a few hundred bits of randomness. 128 bits
>>>> is
>>>> enough, 256 is a comfortable margin, 512 is serious overkill. Seed a
>>>> cryptographically secure PRNG with a few hundred bits of entropy and
>>>> you
>>>> can safely extract gigabytes of key material out of it.
>>> (I omitted #4)
>>> Is the above accurate?  Is it a reasonable design point to use for
>>> OpenSSL's next CSPRNG?
> No, the above #2 is not accurate. It does matter how good your entropy
> source is. The leftover hash lemma gives you the expression for the amount
> of entropy you can extract from entropy sources - but doesn't tell you how
> and for the real constructions the answer is worse. Subsequent papers
> given bounds for certain specific extractors. This can be be summarized as
> the 0.5 limit. If your input data has less that 0.5 bits of entropy per
> bit of data, your extractor is swimming upstream slower than the stream is
> moving downstream.

Reference please?  Because this would be news to me (and, I think, a lot of other people as well).


More information about the cryptography mailing list