[Cryptography] Proper Entropy Source

Bill Frantz frantz at pwpconsult.com
Wed Jan 22 17:47:43 EST 2020 

In this area, I'm with John von Neumann, "Anyone who attempts to 
generate random numbers by deterministic means is, of course, 
living in a state of sin."

Fortunately, for most cryptography, we don't need randomness, we 
need unguessability.

But, as John points out, that is squish.


On 1/22/20 at 6:53 AM, cryptography at metzdowd.com (John Denker 
via cryptography) wrote:

>Also keep in mind the fundamental equation:
>squish + squish = squish.
>
>In other words: Combining multiple squishy sources does *not* 
>produce randomness.  It might make it harder for
>you to predict, but again, that is not the criterion.

And harder to predict is something we want. If I can combine 100 
sources that each give me 1 bit of unguessability, I have a good 
start on having a cryptographically useful unguessable number. 
High precision timing of packet arrival may be useful here.

Ideally, you have a hardware generator with a theoretical reason 
to think it is random. But if you don't, combining multiple 
sources, with very small guesses as to the number of bits of 
unguessability may be the best you can do.

If you don't trust the organization that made your hardware 
source, combine it with some squish to make the opponent's job harder.

...

>I have never seen a hardware process that produces 100%
>entropy density.  I suspect no such thing exists.  There
>is always "some" squish.
>
>Not all squish is equally troublesome.  Therefore any
>decent RNG depends on hardware *and* on computational
>complexity.  The former is used to create a signal that
>has almost 100% entropy density, and the latter is used
>to hide the remaining squish so it cannot feasibly be
>exploited.

If I have a hardware generator that generates bits that are 75% 
ones, but is "provably random", I just need to draw out more 
bits and combine them. But, I think this approach is what John 
is describing.

Now, the combining function is a useful place to use program proofs.

Cheers - Bill

---------------------------------------------------------------------------
Bill Frantz        |"After all, if the conventional wisdom was 
working, the
408-348-7900       | rate of systems being compromised would be 
going down,
www.pwpconsult.com | wouldn't it?" -- Marcus Ranum

More information about the cryptography mailing list