Executive summary: The soundcard on one of my machines runs at 192000 Hz. My beat-up old laptop runs at 96000. An antique server runs at "only" 48000. There are two channels and several bits of entropy per sample. That's /at least/ a hundred thousand bits per second of real industrial-strength entropy -- the kind that cannot be cracked, not by the NSA, not by anybody, ever.
Because of the recent surge in interest, I started working on a new version of turbid, the software than manages the soundcard and collects the entropy. Please give me another week or so. The interesting point is that you reeeeally want to rely on the laws of physics. Testing the output of a RNG can give an upper bound on the amount of entropy, but what we need is a lower bound, and only physics can provide that. The physics only works if you /calibrate/ the noise source. A major selling point of turbid is the calibration procedure. I'm working to make that easier for non-experts to use. ======================================== Concerning "radioactive" sources: My friend Simplicio is an armchair cryptographer. He has a proposal to replace triple-DES with quadruple-rot13. He figures that since it is more complicated and more esoteric, it must be better. Simplicio uses physics ideas in the same way. He thinks radioactivity is the "One True Source" of randomness. He figures that since it is more complicated and more esoteric, it must be better. In fact, anybody who knows the first thing about the physics involved knows that quantum noise and thermal noise are two parts of the same elephant. Specifically, there is only one physical process, as shown by figure 1 here: http://www.av8n.com/physics/oscillator.htm Quantum noise is the low-temperature asymptote, and thermal noise is the high-temperature asymptote of the /same/ physical process. So ... could we please stop talking about "radioactive" random number generators and "quantum" random number generators? It's embarrassing. It is true but irrelevant that somebody could attempt a denial-of-service attack against a thermal-noise generator by pouring liquid nitrogen over it. This is irrelevant several times over because: a) Any decrease in temperature would be readily detectable, and the RNG could continue to function. Its productivity would go down by a factor of 4, but that's all. b) It would be far more effective to pour liquid nitrogen over other parts of the computer, leading to complete failure. c) It would be even more effective (and more permanent) to pour sulfuric acid over the computer. d) Et cetera. The point is, if the attacker can get that close to your computer, you have far more things to worry about than the temperature of your noise source. Mathematical cryptographers should keep in mind the proverb that says: If you don't have physical security, you don't have security. To say the same thing in more positive terms: If you have any halfway- reasonable physical security, a thermal noise source is just fine, guaranteed by the laws of physics. In practice, the nonidealities associated with "radioactive" noise are far greater than with thermal noise sources ... not to mention the cost and convenience issues. As I have been saying for more than 10 years, several hundred thousand bits per second of industrial-strength entropy is plenty for a wide range of practical applications. If anybody needs more than that, we can discuss it ... but in any case, there are a *lot* of services out there that would overnight become much more secure if they started using a good source of truly random bits. The main tricky case is a virtual private server hosted in the cloud. You can't add a real soundcard to a virtual machine. My recommendation for such a machine is to use a high-quality PRNG and re-seed it at frequent intervals. This is a chicken-and-egg situation: a) If you have /enough/ randomness stored onboard the VPS, you can set up a secure pipe to a trusted randomness server somewhere else, and get more randomness that way. b) OTOH if the VPS gets pwned once, it might be pwned forever, because the bad guys can watch the new random bits coming in, at which point the bits are no longer random. c) On the third hand, if the bad guys drop even one packet, ever, you can recover at that point. d) I reckon none of this is worth worrying about too much, because at some point the bad guys just strong-arm the hosting provider and capture your entire virtual machine. _______________________________________________ The cryptography mailing list [email protected] http://www.metzdowd.com/mailman/listinfo/cryptography
