[Freedombox-discuss] Entropy from the soundcard
m-- at gmx.com
Thu Sep 15 12:04:22 UTC 2011
On 15/09/11 02:36, Sandy Harris wrote:
> RFC 1750 has been obsoleted by 4086
Thanks, I didn't realise. Seems like the section on using existing
sound/video input is unchanged.
> There's code for an RNG available, based on a sound card with no mic
> connected, with a good analysis of the thermal and other noise used.
I have some concerns about Turbid. As far as I can tell, it works by
sampling noise from a soundcard with nothing connected, calculating a
theoretical lower bound on the entropy of the noise, and using that
lower bound to determine how much noise to feed into a hash function
(SHA-1) to ensure 160 bits of entropy in the hash function's 160-bit output.
It's a clever approach, but one thing makes me nervous: the lower bound
is based on the assumption that the noise from the soundcard is white
noise. Possible sources of non-white noise (eg interference from the
power supply, which would produce a periodic "hum") are mentioned in
section 6.4 of the paper, but it's assumed that they can only add to the
entropy of the sampled noise.
In a general sense that's true: adding a signal to white noise, even a
totally predictable signal, doesn't produce a combined signal that's any
more predictable than the white noise alone. But in a more specific
sense it's problematic, because you can't determine the volume of the
white noise from the volume of the combined signal - and I *think*
that's what Turbid's calibration process tries to do.
If I'm right, the presence of non-white noise might cause Turbid to
overestimate the amount of white noise available from the soundcard, in
which case it wouldn't feed enough noise into the hash function to
ensure a high-entropy output.
I say "might" because I don't really understand how Turbid's calibration
process works. For each model of soundcard you have to calculate some
parameters by soldering cables, playing test tones and taking
measurements with a voltmeter. How that produces an estimate of the
amount of white noise, as opposed to noise-of-all-colours, I can't tell.
Maybe someone who understands the maths better than I do can explain?
> If you are actually constructing an RNG, though, it is better not to
> discard any possible entropy. If you're sure there's no more than
> one bit per sample, take the parity of the sample rather than
> just the low-order bit. If there might be more than one, take the
> sample modulo something that is not a power of two.
Ah, thanks, the parity idea makes sense. Could you explain how the
modulo idea works?
More information about the Freedombox-discuss