[Cryptography] RNG design principles

Theodore Ts'o tytso at mit.edu
Wed Nov 23 22:58:05 EST 2016


On Wed, Nov 23, 2016 at 05:19:10PM -0700, John Denker wrote:
> >> 3. You don't need more than a few hundred bits of randomness. 128 bits is
> >> enough, 256 is a comfortable margin, 512 is serious overkill. Seed a
> >> cryptographically secure PRNG with a few hundred bits of entropy and you
> >> can safely extract gigabytes of key material out of it.
> 
> That's more-or-less kinda usually true, although once again I would
> not promote it to the status of an axiom or commandment.
> 
> Again it touches back to item (1), insofar as if you are using SHA512,
> then 512 bits of input is definitely not overkill.
> 
> More importantly, at some point, you have to address the re-seeding issue.
> 
> I'll let them speak for themselves, but there are people on this list
> who would vehemently object to item (3).  They have spent years building
> PRNGs that constantly re-seed themselves, to the point where the PRNG
> becomes in effect a denial-of-service attack on the HRNG.

I'm not going to be vehement about it, but there is the question of
whether or not you believe the system should be able to recover after
partial or complete exposire of the internal state of your CSPRNG or
not.  One approach, which is the purist's approach, is to say if
someone can compromise your system even a tiny bit, all bets are off,
and you might as well go home.

Another school of thought is to say that building a resilient system
is good, and so periodic reseeding from hardware sources of randomness
is a good thing.  Whether or not this is a denial-of-service attack
depends on whether or not you believe it's worthwhile to have such
self-healing properties or not.

						- Ted


More information about the cryptography mailing list