LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

offtopic

offtopic

Posted Dec 18, 2007 15:11 UTC (Tue) by njs (guest, #40338)
In reply to: offtopic by ikm
Parent article: On entropy and randomness 

Okay, seriously, last crypto tutorial comment from me for a while, I swear...

There's a lot of research of how you generate good cryptographic PRNGs.  Some approaches use
hashes, some don't.  The analysis in general is utterly different from the analysis of
scientific PRNGs, for the natural reason that you don't care so much about having provably
insane period and provably insane equidistribution requirements; but you do care a huge amount
about e.g. making sure that the internal state remains secret even when people can observe the
PRNG's output, and that even if current state *were* revealed that this would not let you "run
the PRNG backwards" and work out what earlier states were, and that you are clever about how
you mix in new entropy from whatever external sources.  Of course, you'd *like* a provably
insane period too (to the extent that "period" is even meaningful when you are mixing in
entropy as you go), but it's very hard to get an algorithm that resists all cryptographic
analysis, *but* is still amenable to period analysis...

Random posts on python-list are, unfortunately, pretty useless for grokking this stuff.  If
you really are curious to learn how CPRNGs are designed, one convenient place to start might
be Schneier's various online-accessible writings on the subject:
  http://www.schneier.com/paper-prngs.html
  http://www.schneier.com/paper-yarrow.html
  http://www.schneier.com/blog/archives/2007/11/the_strange...
(Yarrow in particular is a fun and interesting algorithm, though no longer quite considered
state of the art.  The last link is awesome for anyone who enjoys some geeky conspiracy, and
has lots more links.)

(Log in to post comments)

offtopic

Posted Dec 19, 2007 3:39 UTC (Wed) by ikm (subscriber, #493) [Link] 

Yay! Thanks. You're right -- I've never thought too much about the use of RNGs outside
Monte-Carlos and such, and the properties you've mentioned can mean a lot more than typical
equidistribution/period requirements in other contexts indeed.

I'll go dig the links you've provided. Thanks again, your help is much appreciated.

offtopic

Posted Dec 20, 2007 17:57 UTC (Thu) by njs (guest, #40338) [Link] 

Cool, glad to help.  Have fun!

(If you really want to get into this, I also highly recommend Ferguson and Schneier's
/Practical Cryptography/.  /Applied Cryptography/ is better known, but it's all like "so in
RSA you use modular arithmetic on primes in the following way" while /Practical Cryptography/
is all like "so if for some reason you want to reinvent SSL, here are the design trade-offs
you have to decide about, and here are the subtle bugs you're going to put in that will break
everything".)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds