diff options
| author | lloyd <[email protected]> | 2008-11-10 17:01:04 +0000 |
|---|---|---|
| committer | lloyd <[email protected]> | 2008-11-10 17:01:04 +0000 |
| commit | a67c21499a67cc6d7556b2320b1d86badb7dfffa (patch) | |
| tree | 7e13d50906b5718ebd862717775d1cc459484339 /doc | |
| parent | eb0a6e6f323c3ac9fb13228da926cc80d8bc5028 (diff) | |
Several changes to HMAC_RNG, many on the basis of the paper
Boaz Barak, Shai Halevi: A model and architecture for pseudo-random
generation with applications to /dev/random. ACM Conference on Computer and
Communications Security 2005.
which I was referred to by Hugo Krawczyk.
Changes include:
Remove the entropy estimation. This is a major point of Barak and
Halevi's paper: the entropy we want to estimate is the condtional
entropy of the collected data from the point of view of an
unknown attacker. Obviously this cannot be computed! Instead
HMAC_RNG simply counts each byte of sampled data as one bit of
estimated entropy.
Increase the reseed threshold from 2^14 to 2^20 outputs, and
change the fast poll during generation from once every 1024
outputs to once every 65536 outputs (though the fast poll might
not trigger that often, if output lengths are very large -
however this doesn't really matter much, and with the X9.31
wrapper it does kick off exactly every 2^16 outputs). The paper
also has some good arguments why it is better to reseed rarely,
making sure you have collected a large amount of (hopefully)
unguessable state.
Remove a second HMAC PRF operation which was only being done to
destroy the previous K value. Considering it has a short
lifetime, seems excessive (and really hurt performance).
Diffstat (limited to 'doc')
0 files changed, 0 insertions, 0 deletions