>>>>> "John" == John Denker <[EMAIL PROTECTED]> writes:
John> At 10:09 AM 8/2/99 -0400, Paul Koning wrote:
>> 1. Estimating entropy. Yes, that's the hard one. It's
>> orthogonal from everything else. /dev/random has a fairly simple
>> approach; Yarrow is more complex.
>>
>> It's not clear which is better. If there's reason to worry about
>> the one in /dev/random, a good solution would be to include the
>> one from Yarrow and use the smaller of the two answers.
John> Hard? That's much worse than hard. In general, it's
John> impossible in principle to look at a bit stream and determine
John> any lower bound on its entropy. Consider the bitstream
John> produced by a light encoding of /dev/zero. If person "A" knows
John> the encoding, the conditional entropy is zero. If person "B"
John> hasn't yet guessed the encoding, the conditional entropy is
John> large.
John> Similar remarks apply to physical entropy: I can prepare a
John> physical system where almost any observer would measure lots of
John> entropy, whereas someone who knew how the system was prepared
John> could easily return it to a state with 10**23 bits less
John> apparent entropy. Example: spin echoes.
Fine, but we weren't talking about "in principle" or "in general".
Sure, given an unspecified process of unknown (to me) properties I
cannot make sensible statements about its entropy. That is true but
it isn't relevant to the discussion.
Instead, we're talking about systems where we have some understanding
of the properties involved.
For example, to pick a physical process, suppose I had a noise
generator (resistor), shielding of known properties or at least
bounded effectiveness, biases ditto, I would say I can then come up
with a reasonable entropy estimate, especially if I'm quite
conservative. This is what people typically do if they build
"hardware random number generators". They certainly need to be
treated with care and analyzed cautiously, but it definitely is a
thing that can be done.
Sure, you can do cat /dev/zero | md5sum > /dev/random, but I don't
believe anyone is proposing that as a way of feeding entropy into it.
paul
