[HexagonalKitten]

That is a conflation of two things. The first is an bitstream from a hwrng, and you're right that if it was non-uniform this would probably mean that it was biased and would be a weak key. Not because it has a bunch of zeros in a row, but because the attacker could assume that it did and guess it more easily.

The other issue is the key itself, and in AES for example, there are (believed to be) no 'weak' keys. All zeros is just as secure at mixing the plaintext as anything else. If you reject keys with too many zeros in a row all you're doing is lowering the keyspace you have to work with.

So no, uniformity is not a goal for keys.

[john_alan]

> So no, uniformity is not a goal for keys.

> you're right that if it was non-uniform this would probably mean that it was biased and would be a weak key

This seems contradictory.

Interesting. Why do you hash the ECDH secret then?

[HexagonalKitten]

> This seems contradictory.

Because there are two entirely different things - one is producing an unbiased bitstream from a potentially biased one (the topic of the article) and the other is keying an individual encryption.

When you're trying to generate a bitstream and you expect uniformity (ie, a prng) then seeing obvious non-uniformity over time is a sign that it's biased. You need the type of algorithms from the article to unbias it while preserving the actual entropy. This is what a system's designer should be doing to produce useful output from a hwrng in the first place.

But, looking at an individual piece of randomness, a key, you shouldn't be looking for uniformity at all. Here you want all zeros, all 1s, and any mix, to be equally possible.

> Interesting. Why do you hash the ECDH secret then?

Well, EC is a bit magical and I don't know. Wikipedia says that it prevents 'weak bits' from the handshake. That means correlations, but I don't know why this is true. At any rate uniformity here means what you think, that it's not a random bitstream and should not be used as such.