[Cryptography] RFC possible changes for Linux random device

John Denker jsd at av8n.com
Tue Sep 16 06:43:30 EDT 2014 

Executive summary:  In any PRNG, it is necessary to be
fastidious about the distinction between entropy on
the one hand and pseudo-randomness on the other hand.

The idea of having a wasteful PRNG /per process/ is very 
much open to question.


On Mon, Sep 15, 2014 at 3:20 PM, Theodore Ts'o <tytso at mit.edu> wrote:
>>  Something to think about in terms of doing this as a very simple
>>  change.  I've considered for a while the thought of using a
>>  per-process key, ...
>> 
>>  That way, there's absolutely no question that a heavy entropy user
>>  from one process would influence the random number stream that would
>>  be made available to another process.


On 09/15/2014 08:05 PM, Sandy Harris wrote:

> That is a very good idea.

I don't see how it solves the main problem.

One problem I see is that /dev/urandom wastes entropy,
by which I mean real entropy.
 -- If the problem gets solved, it can perfectly well 
  be solved on a per-host basis.  Solving it on a 
  per-process basis doesn't help.
 -- If the problem remains unsolved, it is at least 
  as bad on a per-process basis as on a per-host 
  basis.  In fact it could be worse, if we have a 
  lot of entropy-wasters running in parallel.

When entropy is scarce, as it often is, deciding who gets
how much becomes a policy issue, essentially an economics
issue.  Doing things on a per-process basis is neither
necessary nor sufficient.  For one thing, even within a 
single process there can be multiple randomness-consumers, 
each with different needs, each subject to different
policies.


>> a heavy entropy user           [1]

That's not the right way to frame the discussion.  The
statement refers to the output of the PRNG, which is 
not properly called entropy.  It contains a lot of 
randomness, but very little entropy.

Note:  If I thought the word "entropy" in statement [1]
was merely a typo I wouldn't be mentioning it.

Similarly:  If I thought it were merely a misnomer I
wouldn't be mentioning it.  Terminology is not very
important ... except insofar as it affects how we 
formulate and communicate ideas.

I mention it because it seems to be a misconception,
not just a misnomer.

There is a crucial distinction here:
 *) The output of a TRNG has an entropy density of
  (100% minus epsilon).
 *) The output of a PRNG has an entropy density of
  (0% plus epsilon).

In any PRNG it is necessary to be fastidious about
this distinction, and to manage the entropy carefully.
The existing random.c fails to do this.  In the past
I have made specific constructive suggestions about 
this off-list, to no effect AFAICT.

Bottom line: 
 ++ Please let's be fastidious about the distinction 
  between entropy on the one hand and pseudo-randomness
  on the other hand.
 ++ The idea of having an wasteful PRNG /per process/
  is very much open to question.

More information about the cryptography mailing list