[Cryptech Tech] Hardware entropy

[Stephan Mueller]

Am Freitag, 23. Mai 2014, 16:31:55 schrieb Bernd Paysan:

Hi Bernd,

> Am Freitag, 23. Mai 2014, 13:42:32 schrieb Joachim Strömbergson:
> > If someone wants to do von Neumann whitening that would be ok with me -
> > as long as the raw entropy extraction point happens before the whitening.
> 
> The counterargument is that in cryptography, you need to be stupid simple,
> so every part you use must have a good analysis, and do something that is
> necessary and clearly not harmful.  Adding blocks just for the sake of
> adding functionality isn't a good idea.
> 
> So von Neumann's whitening is easy to understand, but IMHO it is somewhat
> harmful.  It reduces entropy (the time between 1s of a quite biased towards
> 0 entropy source is the actual entropy, not the question whether the 1 is
> in an odd or even slot - that would be only the LSB of the entropy), and it
> still can't guarantee that the output actually has good random properties.
> 
> That's why people have started using cryptographic hashes instead.  They do
> compress the entire entropy in the input stream, and produce an output that
> passes all statistical tests, and, at least when you keep the previous state
> of the hash algorim and accumulate entropy (otherwise when the source runs
> dry, the results become guessable).

However, any whitening function cannot add entropy, even though it can mix the 
data sufficiently to pass statistical tests. At best, it cannot add entropy, 
at worst, it will loose entropy.

This is the reason why the output of the basic noise source must be completely 
assessed. I do not care which whitening function you have on top as long as 
the basic noise source has acceptable statistical properties.

Ciao
Stephan
-- 
| Cui bono? |