[Cryptography] Is Ron right on randomness

Salz, Rich rsalz at akamai.com
Wed Nov 23 09:55:04 EST 2016

> Everything that matters about randomness can be summarized in four bullet points:
> 1. You need two things: an entropy source, and a whitener. No entropy
> source is perfect, so you need a whitener no matter what. You don't have to
> do anything fancy in your whitener. Any cryptographically secure hash
> function (like SHA512) will do.
> 2. Since you need a whitener no matter what, it doesn't really matter how
> good your entropy source is, except insofar as it might take a long time to
> collect enough entropy from a very poor source. All that matters is that you
> have an accurate lower bound for how much entropy your source actually
> provides, and this is the case no matter how good (or bad) your source
> actually is. As long as you feed >N bits of entropy into your whitener, you can
> safely extract N bits of true randomness out of it.
> 3. You don't need more than a few hundred bits of randomness. 128 bits is
> enough, 256 is a comfortable margin, 512 is serious overkill. Seed a
> cryptographically secure PRNG with a few hundred bits of entropy and you
> can safely extract gigabytes of key material out of it.

(I omitted #4)

Is the above accurate?  Is it a reasonable design point to use for OpenSSL's next CSPRNG?

More information about the cryptography mailing list