[Cryptography] who cares about actual randomness?

John Denker jsd at av8n.com
Thu Feb 6 05:33:41 EST 2014

On 02/06/2014 12:43 AM, ianG wrote:
> The Answer, if one can summarise, is redundant sources of tiny Entropy,
> some very careful software engineering to mix it, and a good stream
> cipher to turn a little drop of entropy into a firehose.

That is not "The Answer" in general.  It is partly sloppy and
partly just wrong.

First of all, the idea of "tiny" entropy is neither a necessity
nor a virtue.  There are plenty of real-world situations where
the supply of entropy is more than sufficient, not at all tiny.

Secondly, redundancy is not a virtue unto itself.  Reliability
is a virtue, but multiplicity by itself is neither necessary nor
sufficient for reliability.  For clarification on this point, see

Thirdly, you don't necessarily need a cipher.  For most applications,
you need a PRNG.  You can turn a hash into a PRNG, and you can turn a
cipher into a hash, but strictly speaking a "stream cipher" is not
in the critical path.

Fourthly, it causes problems to say sloppy things like "turn a 
little drop of entropy into a firehose".  In accordance with the 
ordinary rules of English, people will take that to mean that a 
little drop of entropy is being turned into a firehose of entropy
... which is not what is going to happen.  The laws of physics 
forbid it.

If you mean to talk about a high-rate, computationally-strong random
distribution, please say so, using actual words.

Overall, I beg of you to say what you mean and mean what you say.
It causes real problems when people assert that XYZ is necessary 
and/or sufficient when in fact it is not.


I've been collecting FAQs and rules of thumb at

More information about the cryptography mailing list