[Cryptography] Generating random values in a particular range
Ray Dillinger
bear at sonic.net
Thu Aug 18 15:09:47 EDT 2016
On 08/07/2016 12:37 PM, dj at deadhat.com wrote:
> I note for no particular reason that re-hashing the last hash until you
> get a number less than q, rather than adding 1 to the original value and
> hashing is cheaper by the cost of one addition.
I note that the no-increment solution creates cycles whose period
resists specific calculation but which on average have one half the
order of magnitude of the state. The with-increment solution creates a
single cycle whose period can be easily calculated and has the same
order of magnitude as the state. Increasing the size of the state to
achieve the same longer period would increase the cost of hashing by an
amount greater than the cost of a single increment.
In practical terms, whether this is significant or not probably depends
on other engineering concerns, assuming your RNG state is at least
quadruple the size of any keys you might generate using it. If your
state is only twice the size of any keys you might generate using it,
the with-increment method is to be preferred for security reasons. If
your state is less than twice the size of any keys you might generate
using it, your system is simply wrong and the method doesn't matter.
Bear
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20160818/66656f68/attachment.sig>
More information about the cryptography
mailing list