[149270] in cryptography@c2.net mail archive
Re: [Cryptography] cheap sources of entropy
daemon@ATHENA.MIT.EDU (John Denker)
Thu Jan 30 00:54:21 2014
X-Original-To: cryptography@metzdowd.com
Date: Wed, 29 Jan 2014 22:36:39 -0700
From: John Denker <jsd@av8n.com>
To: cryptography@metzdowd.com
In-Reply-To: <20140130041155.1E5262280B0@palinka.tinho.net>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
I wrote:
>> One well-calibrated well-defended well-monitored entropy source
>> makes incomparably more sense than an arbitrarily complicated
>> conglomeration of sucky sources. [A]
On 01/29/2014 09:11 PM, dan@geer.org wrote:
> Recalibrating first principles for a moment, please. My understanding
> is that a mix of N bit streams will be truly unpredictable if any 1 of
> the N bit streams is truly unpredictable. [B]
Well, that's basically the right idea. I will assume(*) that
by "mix" you mean something like a good cryptologic hash.
Let's explore the consequences:
As a corollary, if you have one truly completely unpredictable
input, the others don't help. This is consistent with my
statement [A].
If you want to talk about redundancy, we need to have a muuuuch
more detailed discussion. If you're serious, we would have
to work out a full fault tree to check for correlated failures.
Conversely, there are a lot of people -- in this forum and
elsewhere -- who seem to think they can make a silk purse out
of a sow's ear, if only they can get their hands on "enough"
sow's ears. There is nothing in statement [B] to support this
approach. Basic engineering principles and experience indicate
that this is not, in fact, a viable approach. This is consistent
with my statement [A].
If you want to talk about combining multiple *good* entropy
sources, we can do that. However, any one of them would
serve as the basis for a proper HRNG. Combining them just
improves the output rate, without changing the principle of
the thing. We are talking about multiple good, well-calibrated
well-defended well-monitored sources. All this is consistent
with my statement [A].
> If that is incorrect, what am I missing?
(*) Not meaning to derail the conversation, but there are lots
of "mix" functions, not all of which are suitable for this
application. For example, if you /collate/ the inputs, the
output could very well be far from unpredictable, even if one
of the inputs is truly unpredictable.
Also, if you take two inputs, each of which /by itself/ is
completely unpredictable, bad things might happen if you "mix"
them using XOR, since they might be correlated. Let's not even
discuss foolish "mix" functions such as Boolean AND.
The thing I don't understand is why any of this should be
considered controversial.
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
