Re: Fortuna

From: Matt Mackall
Date: Sat Apr 16 2005 - 14:24:05 EST

Next message: Vadim Lobanov: "Re: Why system call need to copy the date from the userspace before using it"
Previous message: Matt Mackall: "Re: Fortuna"
In reply to: linux: "Re: Fortuna"
Next in thread: Matt Mackall: "Re: Fortuna"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sat, Apr 16, 2005 at 05:16:22PM -0000, linux@xxxxxxxxxxx wrote:
> > "How does the entropy estimator measure entropy of the event?" becomes a
> > crucial concern here. What if, by your leading example, there is 1/2 bit
> > of entropy in each event? Will the estimator even account for 1/2 bits?
> > Or will it see each event as 3 bits of entropy? How much of a margin
> > of error can we tolerate?
>
> H'm... the old code *used* to handle fractional bits, but the new code
> seems to round down to the nearest bit. May have to get fixed to
> handle low-rate inputs.

I don't believe that was ever true, though it can fairly trivially be added.
JLC, please note that entropy estimation is much more conservative now
than it was a month ago.

> As for margin of error, any persistent entropy overestimate is Bad.
> a 6-fold overestimate is disastrous.
>
> What we can do is refuse to drain the main pool below, say, 128 bits of
> entropy. Then we're safe against any *occasional* overestimates
> as long as they don't add up to 128 bits.

I've been moving in that direction already, most of the infrastructure
is already in place.

> > /dev/random will output once it has at least 160 bits of entropy
> > (iirc), 1/2 bit turning into 3 bits would mean that 160bits of output
> > it effectively only 27 bits worth of true entropy (again, assuming the
> > catastrophic reseeder and output function don't waste entropy).
> >
> > It's a lot of "ifs" for my taste.
>
> /dev/random will output once it has as many bits of entropy as you're
> asking for. If you do a 20-byte read, it'll output once it has 160
> bits. If you do a 1-byte read, it'll output once it has 8 bits.

That's not quite right. It needs 8 bits in the relevant output pool.
Failing that, it needs 64 bits in the input pool to reseed the output
pool. In the case of /dev/urandom, it needs 128 bits in the input
pool, it always leaves enough for /dev/random to reseed.

--
Mathematics is the supreme nostalgia of our time.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Vadim Lobanov: "Re: Why system call need to copy the date from the userspace before using it"
Previous message: Matt Mackall: "Re: Fortuna"
In reply to: linux: "Re: Fortuna"
Next in thread: Matt Mackall: "Re: Fortuna"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]