[Cryptography] Uncorrelated sequence length, was: A TRNG review per day

David Leon Gil coruus at gmail.com
Fri Oct 24 19:32:54 EDT 2014


On Fri, Oct 24, 2014 at 5:01 PM, Bill Cox <waywardgeek at gmail.com> wrote:
> On Fri, Oct 24, 2014 at 1:56 PM, Bear <bear at sonic.net> wrote:
>> On Fri, 2014-10-24 at 05:31 -0400, Bill Cox wrote:
>> > So, why do we need true random data at high speed so badly that Intel
>> > decided to build in a device requiring large capacitors and it's own
>> > power regulator?  The truth is, we don't need high speed.  As many
>> > people have argued here, all any single system requires is 256 bits of
>> > true random data.  That's all they *ever* need, so long as it remains
>> > secret (which is hard), and so long as a cryptographically secure PRNG
>> > (CPRNG) is used to generate all future cryptographically pseudo-random
>> > data (which is comparatively easy).

The current provable-security bounds on recovering from state
compromise require anywhere from 2KiB to 20 KiB of input entropy to
recover from "state compromise". See section 5.3 of
http://www.cs.nyu.edu/~dodis/ps/prematureNext.pdf

So, perhaps some applications would want a fairly large amount of entropy.


More information about the cryptography mailing list