[Cryptography] Proper Entropy Source

Theodore Y. Ts'o tytso at mit.edu
Tue Jan 21 20:20:15 EST 2020 

On Tue, Jan 21, 2020 at 12:42:43AM +0000, Ryan Carboni wrote:
> On Mon, Jan 20, 2020 at 11:57 PM John Denker <jsd at av8n.com> wrote:
> >
> >
> >You would need more than 64 bits to have any hope of
> >detecting any nontrivial nonrandomness ... and (!)
> >you would still have the Dykstra problem.
> 
> The Dykstra problem or the McNamara problem?
> "named for Robert McNamara, the US secretary of defense from 1961 to
> 1968, involves making a decision based solely on quantitative
> observations (or metrics) and ignoring all others. The reason given is
> often that these other observations cannot be proven. "

The original Djksta quote: "Testing shows the presence, not the
absence of bugs" was paraphrased by John as:

  testing can show the absence of randomness;
    but it can never show the presence of randomness.

Your reference of the McNamara fallacy[1]

[1] https://en.wikipedia.org/wiki/McNamara_fallacy

wasn't want John was going for, but it's also somewhat applicable.

My usual example is using any AES key as "NSA_KEY", try feeding the
following to a statistical test:

   AES(NSA_KEY, SEQ++)

It will look perfect, but for anyone in possession of NSA_KEY and a
sequence of numbers generated from that formula, they can decrypt the
sequence to find SEQ, and then predict all future numbers of said
"random number generator".

This is why I generally consider statistical testing for randomness to
be worse than useless, since it causes people to get a false sense of
security.  Sure, if you use it to test the raw, non-whitened sequence
from a hardware process, that can help you discover if there is a 60
Hz hum dominating the results from the hardware random number
generator, but most of the time when people use it for a software
implementation, it tells you essentially nothing.

And yet, people continue to use it as a justification of how haveged
must be a secure "true" random number generator, and only reaction I
have is:

https://www.youtube.com/watch?v=uSvJaYxRoB4

					- Ted

More information about the cryptography mailing list