On Wed, May 27, 2015 at 3:12 AM, Russell Leidich <[email protected]> wrote: > "if your proposed method comes with a complex extractor, it is bullshit" > > OK point well taken. I should offer a raw mode.
no, you actually shouldn't. you should offer raw mode only. maybe some clever compression just to reduce the amount of data going into the slower secure whitening. > What this leaves behind is the aperiodic residue. Or more specifically, > ((the hashes (of all sequences)) that have not been seen in the last 2^16 > such hashes). I realize that this isn't hard proof (as nothing in physical > hardware can be proven) this is much worse than "not a hard proof". it is next to nothing. you have a hypothesis, which you don't clearly state, and then you have a countermeasure, which you don't explain. > cache misses, pipeline stalls, CPU circuit clock gating, etc. that provide > the majority of the protoentropy. the CPU is a deterministic system. cache misses and all the other stuff are not random, but depend on previous instructions, thus the internal state of the cpu. this is NOT a source of entropy. the source of entropy comes from outside of the CPU, namely anything that changes its internal state. these are: responses from mass storage or other IO drivers, user input, network events, etc. that is: IRQs. the CPU as a system is chaotic, and so tiny differences in those inputs cause huge differences later. but this is NOT entropy. this is a completely deterministic process. at this point, we could dwell on the nature of entropy. by definition, entropy is anything the attacker does not know. considering your probable attackers, the entire internal state of the CPU is entropy. but this is not the case for limited hardware and more potent attackers. that is why it is crucial to separate the actual entropy from the deterministic chaos on top of it. with a nice usual thermal noise generator, we can be pretty sure about the real entropy, which is entropy for all attackers. that so called CPU jitter is not entropy, but a chaotic complex postprocessing on top of some IRQ based minimal real entropy. the amount of which is unknown. _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
