[Cryptography] Is Ron right on randomness
Carl Ellison
cme at acm.org
Wed Nov 23 17:15:26 EST 2016
Point 2 is misleading. Discovering how many bits of entropy you get in every M bits of source takes lots of work and the steps don't tell how to do that.
Sent from my phone
On Nov 23, 2016, at 09:55, Salz, Rich <rsalz at akamai.com> wrote:
>> Everything that matters about randomness can be summarized in four bullet points:
>>
>> 1. You need two things: an entropy source, and a whitener. No entropy
>> source is perfect, so you need a whitener no matter what. You don't have to
>> do anything fancy in your whitener. Any cryptographically secure hash
>> function (like SHA512) will do.
>>
>> 2. Since you need a whitener no matter what, it doesn't really matter how
>> good your entropy source is, except insofar as it might take a long time to
>> collect enough entropy from a very poor source. All that matters is that you
>> have an accurate lower bound for how much entropy your source actually
>> provides, and this is the case no matter how good (or bad) your source
>> actually is. As long as you feed >N bits of entropy into your whitener, you can
>> safely extract N bits of true randomness out of it.
>>
>> 3. You don't need more than a few hundred bits of randomness. 128 bits is
>> enough, 256 is a comfortable margin, 512 is serious overkill. Seed a
>> cryptographically secure PRNG with a few hundred bits of entropy and you
>> can safely extract gigabytes of key material out of it.
>
> (I omitted #4)
>
> Is the above accurate? Is it a reasonable design point to use for OpenSSL's next CSPRNG?
>
> _______________________________________________
> The cryptography mailing list
> cryptography at metzdowd.com
> http://www.metzdowd.com/mailman/listinfo/cryptography
More information about the cryptography
mailing list