[136070] in cryptography@c2.net mail archive
Re: combining entropy
daemon@ATHENA.MIT.EDU (Jon Callas)
Fri Oct 24 17:44:00 2008
Cc: Cryptography <cryptography@metzdowd.com>
From: Jon Callas <jon@callas.org>
To: IanG <iang@systemics.com>
In-Reply-To: <48E0C673.6040005@systemics.com>
Date: Fri, 24 Oct 2008 12:42:59 -0700
On Sep 29, 2008, at 5:13 AM, IanG wrote:
> If I have N pools of entropy (all same size X) and I pool them
> together with XOR, is that as good as it gets?
>
> My assumptions are:
>
> * I trust no single source of Random Numbers.
> * I trust at least one source of all the sources.
> * no particular difficulty with lossy combination.
It's within epsilon for a good many epsilon.
I'm presuming you want the resultant size to be X, as well. Otherwise,
the suggestion that Ben has, concatenation is obviously better, and
you can solve obvious problems.
Another solution is to hash the N pools together with a suitably
secure function. (Most the available algorithms are suitably secure
for this purpose.) The downside of this is that you are capping your
entropy at the size of the hash function. It's better than XOR because
it's not linear, blah, blah, blah.
However, if you had three pools, each relatively large, it doesn't
hurt anything to XOR them together. It's pretty easy to prove that the
result does not decrease entropy, but I think it's impossible to prove
that it increases it. XORing is really taking the max of the N pools.
You have to realize that XOR is bad if there's a chance to leak the
entropy pool, XOR is a bad function. If whoever produced pool X sees
X^Y, then they know Y. But you know that, too.
Jon
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
