[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

A note on the latest randomness quarrel



* Never use "the lowest few bits" or (t1>t2)?1:0 for the actual random
number generation.

You only use things like that for estimating the amount of entropy in a
source. The number of bits of entropy in a pile of bits is one more than
the base-two logarithm of the average number of guesses required of a
badguy knowing your condidtioning routine, observing what it can, and
interfering with your generator to figure out the value of the bits in the
pile, so if your studies and statistical analyses estimate that it
requires 2^127 guesses to guess the output of your conditioning routine,
good for you, you've estimated that somewhere in its input are 128 bits of
entropy. 

Um, I digress...point is, don't use that output straight. Take twice as
much unconditioned input, non-random-looking stuff and all, as you
estimate your conditioning routine needs to produce a key's worth of
entropy and _hash_it_. Your conditioning routine can introduce some little
bias you didn't see or make some unnoticed mistake that lets through
predictable bits. Hashing can, too, but we've studied the hash functions
to make sure they're good a lot more than we've studied your conditioning
procedure.

* A badguy's introduction of extra events doesn't poison your randomness.

A badguy could introduce a multitude of predictable-but-random-looking
events to make your generator close shop before it has enough
unpredictable events to get its entropy. However, that only works if extra
events make your generator stop collecting earlier. The amount of time it
spends collecting randomness shouldn't depend on _any_ output of the
generator, because that needlessly leaks entropy.

Also, a badguy could introduce two nearly-simultaneous events near the
beginning of the process, when it can be fairly sure that the wait between
its events and the previous event will make a zero or make the lowest few
bits of the delay between the bits match a certain value. (Interpreting
that sentence is left as an exercise to the reader :) However, you can
only do this in a system where your conditioning routine allows extra
events to cause the routine to output bad bets. However, if you hash your
raw data rather than using one of those conditioning routines, it's nearly
-- nearly, that's your cue to say it has to be always -- impossible to
weaken the output without knowing the other data hashed. 

Third, el badguy could introduce so many events that the gap between
events was always less than the measurement threshhold. However, note that
the Geiger counter, the computer, and the operator would all fail under
these circumstances. 

Therefore, pretty much any strategy allowing extra events to kill entropy
is flawed. 

================================================================================
	/// anonymous : [email protected] : http://replay.com ///
================================================================================