Randomness

[Bill Frantz]

On Monday 05 May 2003 4:51 pm, Ben Laurie wrote:
> People might be interested in a paper I've written on randomness:
> http://www.apache-ssl.org/randomness.pdf. Comments, as always, are more
> than welcome.

I assume the people who are using randomness to generate UUIDs are doing so
in a distributed manner.  (If it was centralized, then a counter would
provide better assurance of non-duplication.)  I am also going to assume
that the seed they get from the secure random process which is used to
support the "void insecureprng(void *out, int nbytes)" function is run
through a cryptography strong mixing process like MD5 or SHA1.

The question is, does having only a few bits different in the seed between
the various instances of the generator compromise the collision resistance
of the generator?  If it does, how many bits do you need?  (This issue
seems to me to be closely related to the issue of using a counter as an IV
in CBC mode encryption.)

Given you have very little "conditional entropy" (random data unknown to an
attacker), what is the best way to get "unconditional entropy" (random data
that may be known to an attacker)?  Clearly time, which has very little
"conditional entropy", also has a significant risk of duplication between
two instances started nearly together.

How do you protect against this risk?  Adding in IP address might yield a
lot of 192.168.0.1s.  Ethernet MAC addresses seem to be good, but not all
machines have Ethernet cards.

Cheers - Bill


-------------------------------------------------------------------------
Bill Frantz           | Due process for all    | Periwinkle -- Consulting
(408)356-8506         | used to be the         | 16345 Englewood Ave.
frantz at pwpconsult.com | American way.          | Los Gatos, CA 95032, USA



---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com