|
|
|
|
|
|
by john_alan
2009 days ago
|
|
|
> So no, uniformity is not a goal for keys. > you're right that if it was non-uniform this would probably mean that it was biased and would be a weak key This seems contradictory. Interesting. Why do you hash the ECDH secret then? |
|
|
Because there are two entirely different things - one is producing an unbiased bitstream from a potentially biased one (the topic of the article) and the other is keying an individual encryption.
When you're trying to generate a bitstream and you expect uniformity (ie, a prng) then seeing obvious non-uniformity over time is a sign that it's biased. You need the type of algorithms from the article to unbias it while preserving the actual entropy. This is what a system's designer should be doing to produce useful output from a hwrng in the first place.
But, looking at an individual piece of randomness, a key, you shouldn't be looking for uniformity at all. Here you want all zeros, all 1s, and any mix, to be equally possible.
> Interesting. Why do you hash the ECDH secret then?
Well, EC is a bit magical and I don't know. Wikipedia says that it prevents 'weak bits' from the handshake. That means correlations, but I don't know why this is true. At any rate uniformity here means what you think, that it's not a random bitstream and should not be used as such.