Subject: Re: insufficient entropy for rnd
To: Greg Troxel <>
From: Daniel Carosone <>
List: tech-crypto
Date: 08/26/2003 06:48:03
On Mon, Aug 25, 2003 at 12:55:22PM -0400, Greg Troxel wrote:
> Basically, I was commenting on the notion of having 'full entropy'
> bits as the prime commodity via /dev/random, v.s. second-class bits
> from /dev/urandom.  If the seed has enough entropy, and the hash
> construction and the hash are sound, then the multiple outputs should
> all be unguessable and independent.

Yes.  They are identical, apart from the blocking property.

The idea of putting yarrow (or some similar PRNG) behind urandom
was to prevent the "don't really care" consumers from starving the
"really do care" consumers who are prepared to block.

> Being deeply worried about having
> full-entropy bits (which Yarrow is not) to me indicates a distrust of
> the hash function.  

No, of its input.

> But, rnd depends critically on using the hash
> function for mixing in bits.

No, for extracting them.  Bits are mixed in using an LFSR construction
of xor's. See the comments at the top of rnd_pool.c.