Re: Making One-time pad using the soundcard
David Honig wrote: [I would not feel particularly comfortable merely combining the bits of a single sample -- distilling entropy using a hash function and large blocks of input would probably work out better. I'm sure there will be plenty of opinions around here. --Perry] A secure hash will only obscure entropy measurement (a good hash gives 1bit/symbol *apparent* entropy even if only few input bits change infrequently). You must measure your distillate's entropy before hashing if you hash. The purpose of the secure hash is to make sure your entropy is evenly spread. Clearly you must measure it before this whitening (though I'm underconvinced you can actually measure entropy in real life - however, I'm certain you can't after its been whitened). Cheers, Ben. -- http://www.apache-ssl.org/ben.html "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff
Re: Making One-time pad using the soundcard
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 At 03:31 PM 2/14/01 +0200, Paul N wrote: It is secure to make a onetime pad using 16 bit input from soundcard using the following algorithm? Each bit of the output is the result of XOR-ing all 16 bits from the input sample... so, for making one byte of "one-time pad", I need 8 samples (16*8 bits or 16 bytes) of input? Of course I allow this only if the cllipping doesn't occurs and there is nosilence [I would not feel particularly comfortable merely combining the bits of a single sample -- distilling entropy using a hash function and large blocks of input would probably work out better. I'm sure there will be plenty of opinions around here. --Perry] On a Sun workstation that I used back in about 1990, the particular A/D converters they used (or the card they were in) gave electronic noise in the LSB if there was no microphone plugged in. The entropy of true randomness was about 1 bit every 2 samples and I used to distill randomness as Perry suggested -- with a hash function, after gzip. The trouble is that this source of randomness varies by card. Some show it and some don't. If you leave the mic plugged in, the question becomes how much entropy is in the room noise of the computer that no attacker could learn. It's not really random and it is attackable (e.g., by the attacker's own microphone array), but if you know there is no attacker mic in the room, you might talk yourself into trusting the bits derived this way to be unique to you. I had some command line (UNIX pipe) randomness distilling programs on my web site, before my old ISP lost that site. I will see if I can put them back this weekend. - Carl -BEGIN PGP SIGNATURE- Version: PGP 6.5.2 iQA/AwUBOo84J3PxfjyW5ytxEQJVrgCg3RzaQMUflY0Z406P9QwRMaSulu4AoNCz U0O+L7Hm1Os+44EnT2GMmcP9 =KEg7 -END PGP SIGNATURE- +--+ |Carl M. Ellison [EMAIL PROTECTED] http://world.std.com/~cme | |PGP: 08FF BA05 599B 49D2 23C6 6FFD 36BA D342 | +--Officer, officer, arrest that man. He's whistling a dirty song.-+
Re: Making One-time pad using the soundcard
At 03:31 PM 2/14/01 +0200, Paul N wrote: It is secure to make a onetime pad using 16 bit input from soundcard using the following algorithm? Each bit of the output is the result of XOR-ing all 16 bits from the input sample... so, for making one byte of "one-time pad", I need 8 samples (16*8 bits or 16 bytes) of input? This was (more than) sufficient distillation for FM-hiss when I experimented with that. You have to measure the entropy of your distillate, to *know*, rather than hope. You should also measure the entropy of your raw measurements ---I expect ambient noise is lower entropy than hiss. Beware of (periodic) hum. Of course I allow this only if the cllipping doesn't occurs and there is nosilence Suggestion: Interstation FM hiss is higher-volume and higher bandwidth than ambient noise. But again, you can measure this. [I would not feel particularly comfortable merely combining the bits of a single sample -- distilling entropy using a hash function and large blocks of input would probably work out better. I'm sure there will be plenty of opinions around here. --Perry] A secure hash will only obscure entropy measurement (a good hash gives 1bit/symbol *apparent* entropy even if only few input bits change infrequently). You must measure your distillate's entropy before hashing if you hash. If you do get a distillate that passes the tests, there is really no need for hashing ---though it can't hurt IFF the input is 1 bit/symbol. So, how to measure entropy? Use Shannon's entropy formula, use Maurer's sequence-sensitive but equally fast test, and use the Diehard suite to really look for structure. In a OTP, after creating a pad, your program should run these tests on the pad as a quality check. With these tools you can really do science and measure the effect of various distilling functions. Don't trust, measure. ... "What company did you say you were from, Mr. Hewlett?" ---Walt Disney to Bill Hewlett eetimes 22.01.01 p 32
