1996-11-29 - Re: Is /dev/random good enough to generate one-time pads?

Header Data

From: The Deviant <deviant@pooh-corner.com>
To: Steve Reid <steve@edmweb.com>
Message Hash: c1c2d93535dd866723c6f82e5521a74b1e2c42975177d11a5b156b621ef8234a
Message ID: <Pine.LNX.3.94.961129041858.1139C-100000@random.sp.org>
Reply To: <Pine.BSF.3.91.961128153422.182A-100000@bitbucket.edmweb.com>
UTC Datetime: 1996-11-29 04:24:08 UTC
Raw Date: Thu, 28 Nov 1996 20:24:08 -0800 (PST)

Raw message

From: The Deviant <deviant@pooh-corner.com>
Date: Thu, 28 Nov 1996 20:24:08 -0800 (PST)
To: Steve Reid <steve@edmweb.com>
Subject: Re: Is /dev/random good enough to generate one-time pads?
In-Reply-To: <Pine.BSF.3.91.961128153422.182A-100000@bitbucket.edmweb.com>
Message-ID: <Pine.LNX.3.94.961129041858.1139C-100000@random.sp.org>
MIME-Version: 1.0
Content-Type: text/plain


-----BEGIN PGP SIGNED MESSAGE-----

On Thu, 28 Nov 1996, Steve Reid wrote:

> > > Subj sez it all.
> > Yes, as a matter of fact it is.  /dev/random is based on an entropy pool
> > taken from hardware interrupts and such, thus is a RNG, not a PRNG
> 
> I expect it would be "good enough", but it is not _perfectly_ random, and 
> so it wouldn't be a true one-time pad.
> 
> Because it uses MD5, the bits are not all provably independent. You get 
> (very strong) cryptographic security instead of perfect security.
> 
> The one-time pad is easy to explain in theory, but implementing it
> perfectly is extremely difficult. Many people believe that quantum events
> are the only source of perfect randomness, but most methods for harvesting
> that randomness could introduce statistical properties. For example, a
> radioactive substance may have exactly a 50% chance of emitting a particle
> given a certain amount of time, but what happens if your timer isn't
> perfect? 
> 
> One-way hashes are good at removing such obvious and not-so-obvious
> statistical properties, but like a PRNG, you can't prove that the bits it
> produces are all completely independent. It's definately "good enough",
> but it's not perfect. 

One the same note, I must say that implimentation of OTP perfectly is
impossible; you can _never_ prove you have truly random numbers.  The
point is that if the numbers are reasonably independant of each other (i
know -- sortof a contradiction) then they are, as you said, good enough.

The real problem with OTP is still key exchange ;)

 --Deviant
   PGP KeyID = E820F015 Fingerprint = 3D6AAB628E3DFAA9 F7D35736ABC56D39

All extremists should be taken out and shot.


-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQEVAwUBMp5lHzCdEh3oIPAVAQEFxQf9EYQtOcxuNCyHE0VN309pT4ZqHiOCmDHK
+rxy6/M9EDJSywJTd7GC/cVwenHBiR7PjSpJ4tWxTvRrcM58BcF6x0BqSioDpUCj
MBOW+SqYSRtUSEdvdNwdrqKfbZbOQK9dkZ9Dznczj5OKacUJKHdb1A1bfPQPDMh8
1YaOUXTHlcXqX6bOMZ+4Jt2JT8A7dI2EJUxuWIwF3nDyaLW7m8qi5w6k1090Y/3x
4lQinZQIcGZ57J57UP+JfzssbM5RnbVgJTxT+VSVf9QrxrHmZfQTJo0uJ2qC0NwS
LPaNT8eQ6MEWdFJMEI4bGNMWec4yw/3UhKHhAPVkT51Teap3DzIeAQ==
=tx76
-----END PGP SIGNATURE-----






Thread