[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Cfrg] (no subject) (Randomness recommendations)

To: John Kelsey <john.kelsey at nist.gov>
Subject: Re: [Cfrg] (no subject) (Randomness recommendations)
From: david jacobson <David.Jacobson at Sun.COM>
Date: Fri, 10 Sep 2004 11:08:07 -0700
Cc: jis at mit.edu, Donald.Eastlake at motorola.com, cfrg at ietf.org, steve at stevecrocker.com, iesg at ietf.org
In-reply-to: <2624.129.6.54.116.1094071547.squirrel@webmail.nist.gov>
List-help: <mailto:cfrg-request@ietf.org?subject=help>
List-id: Crypto Forum Research Group <cfrg.ietf.org>
List-post: <mailto:cfrg@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
Organization: Sun Microsystems
References: <2624.129.6.54.116.1094071547.squirrel@webmail.nist.gov>
Reply-to: David.Jacobson at Sun.COM
Sender: cfrg-bounces at ietf.org
User-agent: Mozilla/5.0 (X11; U; SunOS sun4u; en-US; rv:1.4) Gecko/20040414

John Kelsey wrote:

Guys,

I have quite a few comments on your draft document, "Randomness
Recommendations for Security."  I'm sorry I haven't gotten this to you
sooner--I know big lists of comments take time to digest, and that
you'd like to get this out the door.  For reference, I'm one of the
people working on the X9.82 random number generation standardization
effort, and this is a pretty major area of research for me, so I hope
I can offer you some pretty meaty comments.  I wish I had time to give you
more--these comments are still a bit unrefined.


[ monster snip]

I think there are three core points you need to hit in this section,
one of which you've touched on, two of which you've missed:

a.  When you're looking an entropy sources, passing statistical tests
has no relationship to whether the source is unpredictable, which is
what you really want.  (This works both ways:  The sequence of bits
from SHA1 hashing 0,1,2,... has no unpredictability, but will pass any
statistical test you can find.  A sequence of ASCII characters
encoding the rolls of a 6-sided die will fail every statistical test
you can think of, but it's a great source of unpredictability.)


[ monster snip]

I think that there some guidance on how to evaluate the realistic entropy of a source, or at least some references to the literature on the subject. As it is, draft just says that estimating entropy requires "an engineering study". The problem is that finding information about this is quite hard.

As has been said before, a simple measure of a bit stream calculating Shannon entropy is not good. Min-entropy is difficult to compute for a bit stream. (What block size do you use? And if you pick one large enough to find many problems that might occur, it requires too much space and time.) And the purpose of min-entropy does not apply to a bit stream that is going to be "mixed" or "accumulated". There are a bunch of papers on entropy measurement by reserachers in chaos theory and by people in the neuroscience community, but they seem to be written for specialists in those areas. (In other words, I couldn't understand them.)

So, the bottom line is I think the document should at least help an engineer in your target audience get started estimating entropy.

  -- David Jacobson


_______________________________________________
Cfrg mailing list
Cfrg at ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg

Follow-Ups:
- Re: [Cfrg] (no subject) (Randomness recommendations)
  - From: John Kelsey

References:
- [Cfrg] (no subject)
  - From: John Kelsey

Prev by Date: [Cfrg] Risks of low-exponent RSA
Next by Date: Re: [Cfrg] (no subject) (Randomness recommendations)
Previous by thread: [Cfrg] Randomness Recommendations (was: no subject)
Next by thread: Re: [Cfrg] (no subject) (Randomness recommendations)
Index(es):
- Date
- Thread