Thanks for mentioning this, I should have made this clear from the start. I concur completely that for most practical applications the Yarrow-like approach you refer to is more appropriate than this. (I can't see the point of MT in this context - if you don't need cryptographic quality numbers, why go to such effort to get randomness at all?)
However, while in practice I have great faith in SHA-x and AES, their security is unproven. In fact, not only can we not prove that SHA-x is secure for this purpose - we don't even know how to state in precise formal terms what we're assuming about it.
The discussion arose out of how best to gather random bits for applications with unconditional provable security, such as the One Time Pad. I would nearly always recommend against using the OTP, which in most practical situations is less secure than more usual approaches, but I was intrigued by the engineering challenge of how one might gather bits for use in one while preserving the unconditional security.
In practice there are better sources of randomness than Geiger counters full stop, but if you want the strongest theoretical guarantees then an approach like this is interesting. It might also be useful as a conservative entropy estimator.
On your other point, /dev/random wasn't written by a cryptographer. I don't know if I see the point of /dev/random blocking myself - but then there's always /dev/urandom. AFAIK the Yarrow paper is still the best reference we have on practical design of an entropy-gathering CPRNG. You can't hold the community responsible for something that really isn't our responsibility - it's Ted Ts'o's.
![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png)
timeasmymeasure
no subject
Date: 2002-11-27 12:16 pm (UTC)However, while in practice I have great faith in SHA-x and AES, their security is unproven. In fact, not only can we not prove that SHA-x is secure for this purpose - we don't even know how to state in precise formal terms what we're assuming about it.
The discussion arose out of how best to gather random bits for applications with unconditional provable security, such as the One Time Pad. I would nearly always recommend against using the OTP, which in most practical situations is less secure than more usual approaches, but I was intrigued by the engineering challenge of how one might gather bits for use in one while preserving the unconditional security.
In practice there are better sources of randomness than Geiger counters full stop, but if you want the strongest theoretical guarantees then an approach like this is interesting. It might also be useful as a conservative entropy estimator.
On your other point, /dev/random wasn't written by a cryptographer. I don't know if I see the point of /dev/random blocking myself - but then there's always /dev/urandom. AFAIK the Yarrow paper is still the best reference we have on practical design of an entropy-gathering CPRNG. You can't hold the community responsible for something that really isn't our responsibility - it's Ted Ts'o's.