[Cryptography] Is Ron right on randomness
Ron Garret
ron at flownet.com
Sat Nov 26 06:44:17 EST 2016
On Nov 25, 2016, at 8:15 PM, dj at deadhat.com wrote:
>
>>>> Everything that matters about randomness can be summarized in four
>>>> bullet points:
>>>>
>>>> 1. You need two things: an entropy source, and a whitener. No entropy
>>>> source is perfect, so you need a whitener no matter what. You don't
>>>> have to
>>>> do anything fancy in your whitener. Any cryptographically secure hash
>>>> function (like SHA512) will do.
>>>>
>>>> 2. Since you need a whitener no matter what, it doesn't really matter
>>>> how
>>>> good your entropy source is, except insofar as it might take a long
>>>> time to
>>>> collect enough entropy from a very poor source. All that matters is
>>>> that you
>>>> have an accurate lower bound for how much entropy your source actually
>>>> provides, and this is the case no matter how good (or bad) your source
>>>> actually is. As long as you feed >N bits of entropy into your whitener,
>>>> you can
>>>> safely extract N bits of true randomness out of it.
>>>>
>>>> 3. You don't need more than a few hundred bits of randomness. 128 bits
>>>> is
>>>> enough, 256 is a comfortable margin, 512 is serious overkill. Seed a
>>>> cryptographically secure PRNG with a few hundred bits of entropy and
>>>> you
>>>> can safely extract gigabytes of key material out of it.
>>>
>>> (I omitted #4)
>>>
>>> Is the above accurate? Is it a reasonable design point to use for
>>> OpenSSL's next CSPRNG?
>>>
>
> No, the above #2 is not accurate. It does matter how good your entropy
> source is. The leftover hash lemma gives you the expression for the amount
> of entropy you can extract from entropy sources - but doesn't tell you how
> and for the real constructions the answer is worse. Subsequent papers
> given bounds for certain specific extractors. This can be be summarized as
> the 0.5 limit. If your input data has less that 0.5 bits of entropy per
> bit of data, your extractor is swimming upstream slower than the stream is
> moving downstream.
Reference please? Because this would be news to me (and, I think, a lot of other people as well).
rg
More information about the cryptography
mailing list