2015-10-21 16:01:59

by Sandy Harris

[permalink] [raw]
Subject: Randomness for crypto, github repositories

I've just created github repositories for two projects:

https://github.com/sandy-harris/random.test

Test program for things I want to add to the Linux random(4) driver. I
am proposing a fairly radical rewrite. This gives an executable test
program for my new code, not a driver.

https://github.com/sandy-harris/maxwell

A demon to feed random(4) with entropy derived from the timer.
Intended mainly for use on limited systems which may lack other good
sources.


2015-10-21 17:13:46

by David Johnston

[permalink] [raw]
Subject: Re: [Cryptography] Randomness for crypto, github repositories

I've only looked at it briefly, but I have a question.. Are you trying to
use the GCM Galois multiply as an entropy extractor?

I don't know of any proof that it is a good extractor for any class of
entropic data. That doesn't mean there isn't one, but I've not heard of
one.

> I've just created github repositories for two projects:
>
> https://github.com/sandy-harris/random.test
>
> Test program for things I want to add to the Linux random(4) driver. I
> am proposing a fairly radical rewrite. This gives an executable test
> program for my new code, not a driver.
>
> https://github.com/sandy-harris/maxwell
>
> A demon to feed random(4) with entropy derived from the timer.
> Intended mainly for use on limited systems which may lack other good
> sources.

2015-10-21 17:28:08

by Sandy Harris

[permalink] [raw]
Subject: Re: [Cryptography] Randomness for crypto, github repositories

On Wed, Oct 21, 2015 at 1:06 PM, <[email protected]> wrote:

> I've only looked at it briefly, but I have a question.. Are you trying to
> use the GCM Galois multiply as an entropy extractor?

Yes, the basic idea is to use a series of GCM multiplies over the pool
data to replace the hashing of that data in the current driver. There
are complications; each hash uses two quasi-constants -- initialiser
and GCM multiplier -- and hashes a counter along with the pool data.
The counter changes on every iteration and is sometimes changed more
drastically, and the constants are sometimes updated

> I don't know of any proof that it is a good extractor for any class of
> entropic data. That doesn't mean there isn't one, but I've not heard of
> one.

Good question. It seems to me th at if it is secure for its
authentication usage, where it replaces an HMAC, then it should be
safe in this application. But no, I don't have a proof & the question
is worth some analysis.