[Cryptography] Is Ron right on randomness
Ron Garret
ron at flownet.com
Wed Nov 23 18:22:08 EST 2016
On Nov 23, 2016, at 6:55 AM, Salz, Rich <rsalz at akamai.com> wrote:
>> Everything that matters about randomness can be summarized in four bullet points:
>>
>> 1. You need two things: an entropy source, and a whitener. No entropy
>> source is perfect, so you need a whitener no matter what. You don't have to
>> do anything fancy in your whitener. Any cryptographically secure hash
>> function (like SHA512) will do.
>>
>> 2. Since you need a whitener no matter what, it doesn't really matter how
>> good your entropy source is, except insofar as it might take a long time to
>> collect enough entropy from a very poor source. All that matters is that you
>> have an accurate lower bound for how much entropy your source actually
>> provides, and this is the case no matter how good (or bad) your source
>> actually is. As long as you feed >N bits of entropy into your whitener, you can
>> safely extract N bits of true randomness out of it.
>>
>> 3. You don't need more than a few hundred bits of randomness. 128 bits is
>> enough, 256 is a comfortable margin, 512 is serious overkill. Seed a
>> cryptographically secure PRNG with a few hundred bits of entropy and you
>> can safely extract gigabytes of key material out of it.
>
> (I omitted #4)
>
> Is the above accurate?
Yes ;-)
I would also add:
5. It is not possible to assess the quality of a random number generator by looking at post-whitener output. Post-whitener output will *always* pass all statistical tests (otherwise you there is a flaw in the hash function). This is why most of the performance data for e.g. OneRNG and RDRand is useless.
rg
More information about the cryptography
mailing list