| |||||||||||||
bogus random entropy sourcesbogus random entropy sourcesPosted Oct 6, 2010 3:51 UTC (Wed) by jzbiciak (✭ supporter ✭, #5246)In reply to: bogus random entropy sources by nowster Parent article: Solid-state storage devices and the block layer
I linked this whitepaper above on the technique VIA used on its C3. They used multiple free-running oscillators to gather entropy. The resulting output varies in quality, from 0.75 to 0.99 bits of entropy per output bit, depending on the decimation factor used and whether or not you enable von Neumann whitening. Given that it generates entropy in the megabits/second range, this is several orders better than you can get from hard disk seeks and user keystrokes, even if you have to throw most of the numbers away. And, given the high apparent entropy of the raw bits, you don't really need to throw many away at all.
(Log in to post comments)
bogus random entropy sources Posted Oct 7, 2010 12:28 UTC (Thu) by nix (subscriber, #2304) [Link]
From all accounts I've read, the entropy of the numbers derived from the C3's RNG hardware sucks rather badly, probably because there are so many sources of regular noise in a CPU that it's hard to stop some of them leaking in. The figures I've heard are *well* below 0.75, more like 0.4 if you're lucky. And IIRC the C3 doesn't bother to validate them either (certainly from the description in the whitepaper they don't), and because the pair of oscillators comprise a single system, if it breaks down or becomes coupled to something external you *also* cannot tell.
|
|||||||||||||