[Cryptech Tech] Hardware entropy

Bernd Paysan bernd at net2o.de
Fri May 23 14:31:55 UTC 2014


Am Freitag, 23. Mai 2014, 13:42:32 schrieb Joachim Strömbergson:
> If someone wants to do von Neumann whitening that would be ok with me -
> as long as the raw entropy extraction point happens before the whitening.

The counterargument is that in cryptography, you need to be stupid simple, so 
every part you use must have a good analysis, and do something that is 
necessary and clearly not harmful.  Adding blocks just for the sake of adding 
functionality isn't a good idea.

So von Neumann's whitening is easy to understand, but IMHO it is somewhat 
harmful.  It reduces entropy (the time between 1s of a quite biased towards 0 
entropy source is the actual entropy, not the question whether the 1 is in an 
odd or even slot - that would be only the LSB of the entropy), and it still 
can't guarantee that the output actually has good random properties.

That's why people have started using cryptographic hashes instead.  They do 
compress the entire entropy in the input stream, and produce an output that 
passes all statistical tests, and, at least when you keep the previous state 
of the hash algorim and accumulate entropy (otherwise when the source runs 
dry, the results become guessable).

-- 
Bernd Paysan
"If you want it done right, you have to do it yourself"
http://bernd-paysan.de/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.cryptech.is/archives/tech/attachments/20140523/db5682db/attachment.sig>


More information about the Tech mailing list