[Cryptography] Is Ron right on randomness

Ron Garret ron at flownet.com
Wed Nov 23 18:22:08 EST 2016

On Nov 23, 2016, at 6:55 AM, Salz, Rich <rsalz at akamai.com> wrote:

>> Everything that matters about randomness can be summarized in four bullet points:
>> 1. You need two things: an entropy source, and a whitener. No entropy
>> source is perfect, so you need a whitener no matter what. You don't have to
>> do anything fancy in your whitener. Any cryptographically secure hash
>> function (like SHA512) will do.
>> 2. Since you need a whitener no matter what, it doesn't really matter how
>> good your entropy source is, except insofar as it might take a long time to
>> collect enough entropy from a very poor source. All that matters is that you
>> have an accurate lower bound for how much entropy your source actually
>> provides, and this is the case no matter how good (or bad) your source
>> actually is. As long as you feed >N bits of entropy into your whitener, you can
>> safely extract N bits of true randomness out of it.
>> 3. You don't need more than a few hundred bits of randomness. 128 bits is
>> enough, 256 is a comfortable margin, 512 is serious overkill. Seed a
>> cryptographically secure PRNG with a few hundred bits of entropy and you
>> can safely extract gigabytes of key material out of it.
> (I omitted #4)
> Is the above accurate?

Yes ;-)

I would also add:

5.  It is not possible to assess the quality of a random number generator by looking at post-whitener output.  Post-whitener output will *always* pass all statistical tests (otherwise you there is a flaw in the hash function).  This is why most of the performance data for e.g. OneRNG and RDRand is useless.


More information about the cryptography mailing list