Re: Good enough for crypto?
From: Paul Crowley (paul_at_JUNKCATCHER.ciphergoth.org)
Date: 12/05/03
- Next message: Terry Ritter: "Re: Formulae for Latin squares of size 2^n"
- Previous message: r.e.s.: "Re: Good enough for crypto?"
- In reply to: Michael Amling: "Re: Good enough for crypto?"
- Next in thread: Scott Wilber: "Re: Good enough for crypto?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 05 Dec 2003 12:22:25 +0000
Michael Amling <nospam@nospam.com> writes:
> > If you've found bias in either the Intel RNG or Linux's /dev/urandom,
>
> Wait, isn't it /dev/random that's of cryptographic quality, and may
> slow down? And /dev/urandom from which random data of questionable
> quality is always available in any desired quantity?
AIUI, /dev/random aims to produce truly random bits, so it can produce
bits no faster than the rate at which it gathers entropy.
/dev/urandom is intended to be a cryptographically secure CPRNG which
will produce as many bits as desired once sufficient entropy is
gathered to initialise the PRNG. /dev/random is meant to be
information-theoretically secure against a computationally unbounded
attacker, while /dev/urandom aims for cryptographic security;
detecting any bias should be a Hard Problem on the same sort of scale
as brute-forcing a block cipher with a decent key length.
So detecting a bias in /dev/urandom would still be a publishable result.
-- __ Paul Crowley \/ o\ sig@paul.ciphergoth.org /\__/ http://www.ciphergoth.org/
- Next message: Terry Ritter: "Re: Formulae for Latin squares of size 2^n"
- Previous message: r.e.s.: "Re: Good enough for crypto?"
- In reply to: Michael Amling: "Re: Good enough for crypto?"
- Next in thread: Scott Wilber: "Re: Good enough for crypto?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
