[Cryptography] Proper Entropy Source

John Denker jsd at av8n.com
Wed Jan 29 14:14:34 EST 2020


On 1/29/20 8:30 AM, John Kelsey wrote:

> You need at least an approximate probability distribution for your 
> source, based on a physical understanding of your source's behavior, 
> to be able to make a sensible entropy estimate.

Yes.

> (Entropy isn't a property of a bitstring, it's a property of the
> process that generated it, so you need to understand that process.)

Yes.

>  Given that model, you can find statistical tests that are great at
> estimating entropy.  But without the model all a black box estimator
> can do is give you an upper bound.

Yes.

> However, this kind of model is basically impossible for operating 
> system sources--for those, you can make pretty plausible arguments 
> that there is stuff no attacker can guess in there somewhere, but
> you can't get any kind of nice probability estimates based on a
> physical understanding because the source is too complicated to model
> well.
> 
> The best you cam do is make some plausible bounds on an attacker's 
> ability to guess things.

Talking about "operating system sources" is too vague.
Furthermore, is misguided to focus on what can't be done.

Very often a sound card is available to the operating system,
and it can be used as the basis for a strong, reliable
randomness generator.

  There are some server-class boards out there that
  lack a sound card, but that is a fixable problem.
  Fixable at very low cost.


More information about the cryptography mailing list