[Cryptography] Proper Entropy Source
Bill Frantz
frantz at pwpconsult.com
Wed Jan 22 17:47:43 EST 2020
In this area, I'm with John von Neumann, "Anyone who attempts to
generate random numbers by deterministic means is, of course,
living in a state of sin."
Fortunately, for most cryptography, we don't need randomness, we
need unguessability.
But, as John points out, that is squish.
On 1/22/20 at 6:53 AM, cryptography at metzdowd.com (John Denker
via cryptography) wrote:
>Also keep in mind the fundamental equation:
>squish + squish = squish.
>
>In other words: Combining multiple squishy sources does *not*
>produce randomness. It might make it harder for
>you to predict, but again, that is not the criterion.
And harder to predict is something we want. If I can combine 100
sources that each give me 1 bit of unguessability, I have a good
start on having a cryptographically useful unguessable number.
High precision timing of packet arrival may be useful here.
Ideally, you have a hardware generator with a theoretical reason
to think it is random. But if you don't, combining multiple
sources, with very small guesses as to the number of bits of
unguessability may be the best you can do.
If you don't trust the organization that made your hardware
source, combine it with some squish to make the opponent's job harder.
...
>I have never seen a hardware process that produces 100%
>entropy density. I suspect no such thing exists. There
>is always "some" squish.
>
>Not all squish is equally troublesome. Therefore any
>decent RNG depends on hardware *and* on computational
>complexity. The former is used to create a signal that
>has almost 100% entropy density, and the latter is used
>to hide the remaining squish so it cannot feasibly be
>exploited.
If I have a hardware generator that generates bits that are 75%
ones, but is "provably random", I just need to draw out more
bits and combine them. But, I think this approach is what John
is describing.
Now, the combining function is a useful place to use program proofs.
Cheers - Bill
---------------------------------------------------------------------------
Bill Frantz |"After all, if the conventional wisdom was
working, the
408-348-7900 | rate of systems being compromised would be
going down,
www.pwpconsult.com | wouldn't it?" -- Marcus Ranum
More information about the cryptography
mailing list