[Cryptech Tech] Hardware entropy

[Stephan Mueller]

Am Dienstag, 27. Mai 2014, 14:43:53 schrieb Bernd Paysan:

Hi Bernd,

>Am Dienstag, 27. Mai 2014, 08:00:49 schrieb Stephan Mueller:
>> However, any whitening function cannot add entropy, even though it
>> can mix the data sufficiently to pass statistical tests. At best, it
>> cannot add entropy, at worst, it will loose entropy.
>> 
>> This is the reason why the output of the basic noise source must be
>> completely assessed. I do not care which whitening function you have
>> on top as long as the basic noise source has acceptable statistical
>> properties.
>Sure.  The question is more if you actually want to have some whitening
>function reduce the entropy before you put it into the hash; and I
>don't like the idea.
>
>Example: To remove the bias of the individual roscs, you can xor two
>sources (that's why I had the p ^ n readout address in my original
>entropy block). The result is a pretty flat distribution of all
>possible byte values (roughly gauss-shaped, see attached second-order
>histogram - that's a histogram of the histogram), but the entropy is
>nearly half of the original entropy (the individual bits are now
>better, but the overall number of bits are reduced by a factor two).

Can you please elaborate on the last part. I do not understand what you 
mean with the entropy is half.

It is mathematically proven that XOR does not reduce entropy of two 
*independent* data sets. So, when you say that XOR reduces entropy, the 
data sets per definition are dependent. Thus, you do not have as much 
entropy even in your initial data sets.
>
>If you want to use my entropy source "raw" without any further post-
>processing, that's the way to go - just xor two outputs together, that
>should give you a random source that should pass the dieharder test. 
>The observability is reduced (e.g. no way to measure bias), that's why
>you should have that function as separate element in your data path.


Ciao
Stephan