From: "James A. Donald" <jamesd@echeque.com>
Date: Wed, 20 Sep 95 23:27:45 PDT
To: cypherpunks@toad.com
Subject: Re: (none)
Message-ID: <199509210627.XAA14935@blob.best.net>
MIME-Version: 1.0
Content-Type: text/plain


At 06:05 AM 9/21/95 GMT, Phil Karlton wrote:
>James A. Donald <jamesd@echeque.com> writes:
>    Whenever you need a random number, take a one way checksum, 
>    for example MD5, of the most recently altered part of that 
>    buffer.  Use that as your random number. 
>
> How is this any better than feeding the data into the MD5
> hash as I go? This is not a rhetorical question.

Assuming that MD5 loses no entropy, it is identical, or very similar in
strength, since in the algorithm that I described the most recently altered
part of the buffer depends sensitively on all previous noise accumulated
into the buffer, so if the total cumulated entropy is larger than your block
size, you are OK.

However the algorithm I described simply used less computation, but the
overhead of continually doing MD5 is probably modest. 

No matter what you do, if you cumulate a hundred bits of entropy, and if you
use a one way hash to generate random numbers so that your session keys do
not leak information about your entropy, you are going to be safe against a
random number generator attack.

I suggested accumulating a very large amount of entropy, but obviously this
is just gilding the lily.
 ---------------------------------------------------------------------
              				|  
We have the right to defend ourselves	|   http://www.jim.com/jamesd/
and our property, because of the kind	|  
of animals that we are. True law	|   James A. Donald
derives from this right, not from the	|  
arbitrary power of the state.		|   jamesd@echeque.com