[11248] in cryptography@c2.net mail archive
Re: building a true RNG
daemon@ATHENA.MIT.EDU (Arnold G. Reinhold)
Mon Jul 29 20:02:31 2002
In-Reply-To: <3.0.5.32.20020729122038.00835260@pop.west.cox.net>
Date: Mon, 29 Jul 2002 17:37:46 -0400
To: David Honig <dahonig@cox.net>,
David Wagner <daw@cs.berkeley.edu>, jsd@monmouth.com (John S. Denker)
From: "Arnold G. Reinhold" <reinhold@world.std.com>
Cc: daw@mozart.cs.berkeley.edu (David Wagner),
cryptography@wasabisystems.com, barney@tp.databus.com (Barney Wolff)
At 12:20 PM -0700 7/29/02, David Honig wrote:
>
>"Whether there is a need for very high bandwidth RNGs" was discussed
>on cypherpunks a few months ago, and no examples were found.
>(Unless you're using something like a one-time pad where you need
>a random bit for every cargo bit.) Keeping in mind that
>a commerical crypto server can often accumulate entropy during
>off-peak hours.=A0
>
It's been discussed here some time back as well. If you believe your=20
crypto primitives are infeasible to break, a crypto-based PRNG with a=20
long enough random seed should be indistinguishable from a true,=20
perfect RNG. If you are only confident that your crypto primitives=20
are expensive to break, then using a true RNG for keys and nonces,=20
rather than deriving them all from one PRNG, adds security.
This suggest a continuum of solutions: Construct a crypto PRNG and=20
periodically (once enough has accumulated) stir your entropy source=20
into it's state in some safe way. If you extract entropy slower than=20
you put it in you can expect the equivalent of of a true RNG. If you=20
extract entropy faster than you put it in, the system degrades=20
gracefully in the sense that someone who expends the effort to break=20
the number generation scheme only gets to read messages since the=20
last entropy update.
The reason for batching entropy input is to prevent someone who has=20
broken your system once from discovering each small entropy input by=20
exhaustive search. (There was a nice paper pointing this out in. If=20
someone has the reference...)
Arnold Reinhold
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@wasabisystems.com
