Does hashing a compromised rng and a secure rng give cryptographically secure random output?

Question

If I have a compromised random source and a cryptographically secure one, is hashing them together makes a cryptographically secure random output?

Example:

The compromised random output: ABC

The cryptographically secure random output: DEF

Hashing them together:

printf 'ABCDEF' | sha512sum
569350085b223ba854dfc5d607643ceb85e4607e46e5a9ad3696f898e29d8a3fe22610956167cefb7e2ba769e740f94b31e4e3c52195ba65e64ba40d82343591

Is this hash a cryptographically secure random output?

If I am not clear enough, please ask and I will update the question.

Answer 1

If you have a cryptographically secure hash function and you use as much input from each of the sources as there is output i.e.

for $H: \{0,1\}^* \rightarrow \{0,1\}^n$ you use $n$-bits of input from each RNG it will work.

However, in your specific example if you only use 3 letters to generate 512 bits of output, when the DEF repeats the entire 512 bits of output will repeat and this will happen with pretty high probability and after detecting it the rest of the 512 bit are known to an attacker.

Answer 2

Absolutely secure.

Your technique is:-

SHA-512("ABC..." | "DEF...")

but I have to caveat with the reasonable expectation that the cryptographic source is more that just three letters. You would expect at least 128 bits of entropy, or 28 A-Z characters.

The important aspect here is that you concatenate rather than xor. An xor operation would /could allow the compromised source to nullify the entropy from the cryptographic source. By using a secure cryptographic source, you're continuously adding entropy to the hash function irrespective of the compromise. A SHA function is one way, therefore an attacker cannot feed in anything that will generate predictable hash output.

Rather topically, the Fortuna RNG uses this very similar technique to aid recovery from a compromise with it's entropy aggregation function:-

Pi ← Pi | s | length(e) | e

where new input entropy (e) is concatenated to a previously contaminated entropy pool.