| Alexandre Anzala-Yamajako posted interesting comments on this to [Cryptography] (@metzdowd.com): > IMO a statistical approach based on taking a bunch of data a saying essentially "I don t see any signs that it s not random" is not a good approach for entropy seeding. The example is old but I could give you the output of an AES in counter mode with a null key and a null iv and no standard statistical test woud ever show you any defects while you have absolutely no entropy. > You case is particularely worrisome for several reasons
1) you use a von neuman like extractor but you have also shown that your data is not only biased but also correlated
2) you don t seem have a model of your hardware source from which you could derive the output distribution
3) you do some wizardry to remove some correlation but nowhere show or prove that there isn t more corrolation to be taken care of or how
4) I didn t see in your document a justification of the fact that the manufacturer of the camera (soft and hardware) doesn t have more information than you and could therefore target defects in your entropy management procedure. > You should have a look at the work of Viktor Fischer, David Lubicz, Florent Bernard and patrick Haddad. They invested quite a bit of effort to give entropy guarantees when using very specific hardware device. Skibinsky subsequently responded: > Alexandre, thanks for reading and suggestions! I will certainly check out your references. > As it is probably obvious from the essay-style narrative, this is not intended to be a tight scientific paper, just our research log of first order ideas we coded up for minimal working prototype. You are correct on #1,#3 - current codebase doesn't addresses these issues. #2 is interesting, because besides wide variety of camera hardware that model should reflect, iOS camera parameters present us with an opportunity to create optimal hardware source. This is far from our area of expertise, so I hope somebody in open source community will pick it up from here and figure out both formal model and what physical settings will optimize the source. > Thanks again for great suggestions, I will further emphasize impact of correlations & VN sensitivity to non-IID in final section. > Most likely practical direction of course is simply use universal hash extractor instead of VN, since it relaxes a lot of requirements. |