[Cryptography] Uncorrelated sequence length, was: A TRNG review per day

dj at deadhat.com dj at deadhat.com
Sat Oct 25 16:58:29 EDT 2014

> No good reasons; OSX (and some BSDs?), for example, uses Schneier's
> Fortuna RNG, which is cryptographically sensible.

Since I'm sitting in an airport I've got plenty of time to cogitate.

We are criticizing Linux for not hashing on the way into the pool.
You can hash into the pool, out of the pool or both, or do something
completely different.

Linux hashes on the way out. Why is this better or worse than hashing on
the way in? I don't know.

In terms of Linux architecture it makes sense. The data on the way in
comes in as a function of what the machine provides. Putting a compute
heavy task on this path leads to an uncontrolled amount of effort being
spent, regardless of whether or not /dev/[u]random is used.

Hashing on the way out makes the effort spent a function of the rate which
things call /dev/[u]random, which is an unspent effort if you aren't. This
is sensible, only invoke the cost if you invoke the feature.

Other things are certainly better, like in the BSDs.

I thought everyone who cared had their own version of random.c. I do, but
I'm too lazy to patch the kernel each time I bring up a machine.

More information about the cryptography mailing list