[Cryptography] Proper Entropy Source
Theodore Y. Ts'o
tytso at mit.edu
Tue Jan 21 20:20:15 EST 2020
On Tue, Jan 21, 2020 at 12:42:43AM +0000, Ryan Carboni wrote:
> On Mon, Jan 20, 2020 at 11:57 PM John Denker <jsd at av8n.com> wrote:
> >
> >
> >You would need more than 64 bits to have any hope of
> >detecting any nontrivial nonrandomness ... and (!)
> >you would still have the Dykstra problem.
>
> The Dykstra problem or the McNamara problem?
> "named for Robert McNamara, the US secretary of defense from 1961 to
> 1968, involves making a decision based solely on quantitative
> observations (or metrics) and ignoring all others. The reason given is
> often that these other observations cannot be proven. "
The original Djksta quote: "Testing shows the presence, not the
absence of bugs" was paraphrased by John as:
testing can show the absence of randomness;
but it can never show the presence of randomness.
Your reference of the McNamara fallacy[1]
[1] https://en.wikipedia.org/wiki/McNamara_fallacy
wasn't want John was going for, but it's also somewhat applicable.
My usual example is using any AES key as "NSA_KEY", try feeding the
following to a statistical test:
AES(NSA_KEY, SEQ++)
It will look perfect, but for anyone in possession of NSA_KEY and a
sequence of numbers generated from that formula, they can decrypt the
sequence to find SEQ, and then predict all future numbers of said
"random number generator".
This is why I generally consider statistical testing for randomness to
be worse than useless, since it causes people to get a false sense of
security. Sure, if you use it to test the raw, non-whitened sequence
from a hardware process, that can help you discover if there is a 60
Hz hum dominating the results from the hardware random number
generator, but most of the time when people use it for a software
implementation, it tells you essentially nothing.
And yet, people continue to use it as a justification of how haveged
must be a secure "true" random number generator, and only reaction I
have is:
https://www.youtube.com/watch?v=uSvJaYxRoB4
- Ted
More information about the cryptography
mailing list