Is Your Entropy Really Random? Four Questions You Should Ask To Find Out
There is no test to prove a data set is random. 1111, 2222 and 3333 are potentially perfectly random elements in a large set of four-digit numbers, while 3725 may not be if it appears more frequently than others. A large number of statistical tests can place limits on the quality of randomness, but they cannot definitely prove randomness without knowing details about the source. For example, the digits of Pi appear randomly distributed, but each consecutive digit can be calculated from the previous ones, which would be impossible if they occurred randomly. So, how do you know if your entropy is really random? Here are a few questions you should ask when thinking about the random that underpins your security measures.
1. Has your underlying entropy methodology been publicly disclosed for critical review by engineering professionals?
While there is no simple test, to prove randomness, your provider should be able to clearly explain their methodology, and provide back up through peer reviewed, published journals.
2. If so, was testing done to analyze the entropy source and the electronics used to digitize the output?
Verifiable RNG testing must be done by analyzing the entropy source and the electronics used to digitize the output. For example, radioactive decay is an excellent and widely used source of randomness, but it is highly dependent on the RNG circuitry used to produce random numbers. Both components are essential to success and should be publicly disclosed.
3. Was the ratio of quantum randomness to noise in the test device established, and confirmed expected results?
Once a quantum source of entropy is identified and suitable harvesting circuitry is designed to collect its signal, the noise in the device must be quantified and assumed to be nonrandom. A ratio of quantum randomness to noise may be established and mathematical testing done on this raw output to confirm the expected results. Once validated, post processing may be used to further purify the output of random numbers to a high degree of accuracy based on results and assumptions in the controlled laboratory testing.
4. Was there a hashing that could obfuscate any deterministic behavior?
National Institute of Standards and Technology (NIST) has a suite of independent tests to look for patterns implying a set of numbers was not randomly generated. These tests do not require any information about the process that generated the numbers and may be fooled by carefully choosing a nonrandom series of numbers. In fact, many of these tests may pass and only one failed test may be the sole indicator of predictability or bias in the numbers. Additionally, many hardware based random number generators (RNGs) include hashing as an extra measure of safety, which obfuscates any deterministic behavior.
Without high quality random, your cryptography efforts are at risk. Many pseudorandom options are available today, therefore, it is essential you get the answers to these questions to ensure you are getting pure random numbers for the highest levels of security in your organization.
You can learn more about Qrypt’s random here: https://www.qrypt.com/entropy.