Evaluating Entropy for True Random Number Generators: Efficient, Robust and Provably Secure

摘要

Estimating entropy of randomness sources is a task of critical importance in the context of true random number generators, as feeding cryptographic applications with insufficient entropy is a serious real-world security risk. The challenge is to maximize accuracy and confidence under certain data models and resources constraints. In this paper we analyze the performance of a simple collision-counting estimator, under the assumption that source outputs are independent but their distribution can change due to adversarial influences. For n samples and confidence 1 — e we achieve the following features (a) Efficiency: reads the stream in one-pass and uses constant memory (forward-only mode) (b) Accuracy: estimates the amount of extractable bits with a relative error O(n-~(1/2) log(l/ε)) per sample, when the source outputs are i.i.d. (c) Robustness: the same error when the source outputs are independent but the distribution changes up to t = O(n~(1/2)) times during runtime We demonstrate that the estimator is accurate enough to adjust post-processing components dynamically, estimating entropy on the fly instead investigating it off-line. Our work thus continues the line of research on "testable random number generators" (originated by Bucii and Luzzi at CHES'05) combining it with the robustness against source changes (originated by Barak et al. at CHES'03).