[13921] in cryptography@c2.net mail archive
Re: PRNG design document?
daemon@ATHENA.MIT.EDU (John S. Denker)
Fri Aug 22 11:16:09 2003
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Fri, 22 Aug 2003 08:42:45 -0400
From: "John S. Denker" <jsd@av8n.com>
To: Tim Dierks <tim@dierks.org>
Cc: cryptography@metzdowd.com
In-Reply-To: <6.0.0.10.2.20030819114630.07cafa48@127.0.0.1>
On 08/19/2003 11:57 AM, Tim Dierks wrote:
>
> I'm assuming a cryptographic PRNG of the type in OpenSSL, PGP, etc.,
> where entropic seeding data is accumulated into a pool and output is
> produced by operating on the pool with a secure hash or similar
> cryptographic algorithm.
The statement contains two inequivalent ideas:
-- some applications (OpenSSL, PGP, etc.) which
imply certain requirements, and
-- some technology for generating numbers which
may or may not meet those requirements.
The mentioned technology is what I classify as a
_stretched_ random symbol generator, because it
outputs an entropy density greater than zero but
less than 100%.
For most of the things that OpenSSL and PGP do,
certainly certificate generation and almost
certainly session-key generation, I would *not*
recommend using a stretched random symbol
generator, but rather a full-blown True Random
Symbol Generator, i.e. 100% entropy density.
There are other situations (e.g. expunging a
multi-gigabyte disk) where you might really
need to do some stretching.
BTW I prefer to reserve the term PRNG to apply
to the extreme case of zero entropy density, but
there's not much to be gained by quibbling about
terminology.
> Is there a definitive or highly recommended paper or book on the
> design of PRNGs?
How about this:
http://www.av8n.com/turbid/
> I'm interested in whether there's a strong source on what the design
> considerations for how to process the input into the pool, mix &
> remix the pool, and generate output are.
The idea of a pool that needs mixing and remixing
is not the optimal design IMHO.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
