Evaluating Entropy for TRNGs: Fast, Robust and Provably Secure

Estimating entropy for true random number generators is a task of critical importance, because feeding cryptographic applications with insufficient entropy leads to poor security. This is a challenging task as the entropy needs to be estimated at high accuracy, high confidence level and with possibly minimal number of samples (ideally no more than needed for extraction), In this paper we analyze the performance of a simple collision-counting estimator, and show that it is much better than min-entropy estimators or Shannon-entropy estimators studied before in this context, and moreover that it is robust against changes in the source distribution (due environmental conditions or adversarial influences). More precisely, we show an estimator which for n samples, and confidence 1− : (a) Extremely efficient: reads the stream in one-pass and uses constant memory (forward-only mode) (b) Accurate: estimates the amount of extractable bits with a relative error O(n− 2 log(1/ )), when the source outputs are i.i.d. (c) Robust: keeps the same error when the source outputs are independent but the distribution changes up to t = O(n 2 ) times during runtime We demonstrate that the estimator is accurate enough to adjust post-processing components dynamically, estimating entropy on the fly instead investigating it off-line.