[Cryptography] Proper Entropy Source
Ryan Carboni
ryacko at gmail.com
Wed Jan 22 02:09:26 EST 2020
On Wed, Jan 22, 2020 at 1:20 AM Theodore Y. Ts'o <tytso at mit.edu> wrote:
>
> On Tue, Jan 21, 2020 at 12:42:43AM +0000, Ryan Carboni wrote:
> > On Mon, Jan 20, 2020 at 11:57 PM John Denker <jsd at av8n.com> wrote:
> > >
> > >
> > >You would need more than 64 bits to have any hope of
> > >detecting any nontrivial nonrandomness ... and (!)
> > >you would still have the Dykstra problem.
> >
> > The Dykstra problem or the McNamara problem?
> > "named for Robert McNamara, the US secretary of defense from 1961 to
> > 1968, involves making a decision based solely on quantitative
> > observations (or metrics) and ignoring all others. The reason given is
> > often that these other observations cannot be proven. "
>
> The original Djksta quote: "Testing shows the presence, not the
> absence of bugs" was paraphrased by John as:
>
> testing can show the absence of randomness;
> but it can never show the presence of randomness.
>
> Your reference of the McNamara fallacy[1]
>
> [1] https://en.wikipedia.org/wiki/McNamara_fallacy
>
>
> This is why I generally consider statistical testing for randomness to
> be worse than useless, since it causes people to get a false sense of
> security. Sure, if you use it to test the raw, non-whitened sequence
> from a hardware process, that can help you discover if there is a 60
> Hz hum dominating the results from the hardware random number
> generator, but most of the time when people use it for a software
> implementation, it tells you essentially nothing.
>
> And yet, people continue to use it as a justification of how haveged
> must be a secure "true" random number generator, and only reaction I
> have is:
>
No, the McNamara fallacy is a valid point. Reality is not merely a
series of numbers to be inventoried by other people or machines,
reality is far more complex and overlooking the complexity will
directly result in failure. The scrypt paper estimates the value of 64
bits of security to be in the millions for password derivation
functions, Schneier's paper on Minimal Key Lengths estimates the value
of 60 bits of security to be $300k in FPGA, COPACOBANA costs
$10,000...
Factually at $1 million, there are more efficient ways to do things. (
https://www.theregister.co.uk/2019/08/06/att_unlock_fraud_hack_charges/
https://en.wikipedia.org/wiki/Greek_wiretapping_case_2004%E2%80%9305 )
Regardless, if you have an adversary capable of benchmarking
production lots of processors for intrinsic properties, be glad that
they are breaking the RNG that way as opposed to other ways...
More information about the cryptography
mailing list