[Cryptography] Uncorrelated sequence length, was: A TRNG review per day

David Leon Gil coruus at gmail.com
Fri Oct 24 19:32:54 EDT 2014

On Fri, Oct 24, 2014 at 5:01 PM, Bill Cox <waywardgeek at gmail.com> wrote:
> On Fri, Oct 24, 2014 at 1:56 PM, Bear <bear at sonic.net> wrote:
>> On Fri, 2014-10-24 at 05:31 -0400, Bill Cox wrote:
>> > So, why do we need true random data at high speed so badly that Intel
>> > decided to build in a device requiring large capacitors and it's own
>> > power regulator?  The truth is, we don't need high speed.  As many
>> > people have argued here, all any single system requires is 256 bits of
>> > true random data.  That's all they *ever* need, so long as it remains
>> > secret (which is hard), and so long as a cryptographically secure PRNG
>> > (CPRNG) is used to generate all future cryptographically pseudo-random
>> > data (which is comparatively easy).

The current provable-security bounds on recovering from state
compromise require anywhere from 2KiB to 20 KiB of input entropy to
recover from "state compromise". See section 5.3 of

So, perhaps some applications would want a fairly large amount of entropy.

More information about the cryptography mailing list