[Cryptography] Is Ron right on randomness

Bill Cox waywardgeek at gmail.com
Thu Nov 24 02:50:41 EST 2016 

On Wed, Nov 23, 2016 at 3:22 PM, Ron Garret <ron at flownet.com> wrote:

>
> On Nov 23, 2016, at 6:55 AM, Salz, Rich <rsalz at akamai.com> wrote:
>
> >> Everything that matters about randomness can be summarized in four
> bullet points:
> >>
> >> 1. You need two things: an entropy source, and a whitener. No entropy
> >> source is perfect, so you need a whitener no matter what. You don't
> have to
> >> do anything fancy in your whitener. Any cryptographically secure hash
> >> function (like SHA512) will do.
> >>
> >> 2. Since you need a whitener no matter what, it doesn't really matter
> how
> >> good your entropy source is, except insofar as it might take a long
> time to
> >> collect enough entropy from a very poor source. All that matters is
> that you
> >> have an accurate lower bound for how much entropy your source actually
> >> provides, and this is the case no matter how good (or bad) your source
> >> actually is. As long as you feed >N bits of entropy into your whitener,
> you can
> >> safely extract N bits of true randomness out of it.
> >>
> >> 3. You don't need more than a few hundred bits of randomness. 128 bits
> is
> >> enough, 256 is a comfortable margin, 512 is serious overkill. Seed a
> >> cryptographically secure PRNG with a few hundred bits of entropy and you
> >> can safely extract gigabytes of key material out of it.
> >
> > (I omitted #4)
> >
> > Is the above accurate?
>
> Yes ;-)
>

+1.  However, you now incorporate any security flaws in your CPRNG into
your random number source, thus spreading the flaws to all crypto on your
system.  You also integrate the probability over time that an attacker has
taken a snapshot of your CPRNG state.  I like to reseed the CPRNG now and
then with a few hundred unpredictable bits.


> I would also add:
>
> 5.  It is not possible to assess the quality of a random number generator
> by looking at post-whitener output.  Post-whitener output will *always*
> pass all statistical tests (otherwise you there is a flaw in the hash
> function).  This is why most of the performance data for e.g. OneRNG and
> RDRand is useless.
>

Absolutely right.  Only TRNGs that make raw data available should be
trusted.  Further, the source should have a simple physical model which is
proven out by measurements, preferably continuously.

Bill
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20161123/43b7dd23/attachment.html>

More information about the cryptography mailing list