>> And note that at least one highly-thought-of modern design for an >> entropy collector (Fortuna) doesn't even _try_ to keep an "entropy >> estimate" -- the whole concept is pretty fuzzy when you start trying >> to count how many bits you "took out".
> To extend on that: the basic idea is that as long as you started with > "enough" entropy at some point and feed some form of entropy often > enough, you have to break the cryptographic primitives pretty much > completely to predict the output in any way. Well, sure. But that's equally true with no mixing at all: feed in enough unknown ("random") information often enough and you don't have to mix at all in order to get random information out. Indeed, mixing is a danger in that case, because it introduces the possibility of correlation between past bits and future bits. > One of the fundamental design assumptions behind Fortuna is that > there is no correct way to estimate entropy. People have been pretty > bad about it whenever they tried. So remove the need for it. Unless you have a source of strongly random bits (eg, noise diode) of higher bandwidth than the drain your consumers impose, there's no way around it: you can estimate it badly or you can not estimate it at all. Not estimating it at all amounts to estimating the amount of input entropy as infinite, which is a worse estimate than almost any other. "Because we can't do it well" is a really really bad reason to do it as badly as possible. /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTML mo...@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B