Discussion:
cryptographically secure generators?
(too old to reply)
izaqyos
2005-01-18 09:31:03 UTC
Permalink
Raw Message
I am searching for a good cryptographically secure pseudo random number
generator.

LCG generators are no good (single seeded, short period and sample
correlations).

I was considering using Mersenne Twister PRNG, but I'm not sure about
it's cryptographic strength.
Also considered using YARROw/FORTUNA, but I need a faster RNG.

I'd appreciate any references to efficient cryptographically secure
RNGs.

TIA
David Wagner
2005-01-18 11:06:35 UTC
Permalink
Raw Message
Post by izaqyos
I am searching for a good cryptographically secure pseudo random number
generator. [...]
I was considering using Mersenne Twister PRNG, but I'm not sure about
it's cryptographic strength.
No, Mersenne Twister is not cryptographically strong.

Yarrow and Fortuna are for crunching semi-random values from many entropy
sources to generate a uniformly distributed cryptographic key. Is that
what you want?

It sounded like you want a scheme that will take a short uniformly
distributed cryptographic key and generate a long stretch of pseudorandom
bits that are cryptographically secure. If so, I suggest you consider
AES-CTR, 3DES-CTR, or some such scheme.
izaqyos
2005-01-19 16:10:57 UTC
Permalink
Raw Message
Post by David Wagner
No, Mersenne Twister is not cryptographically strong.
Can you please specify why it's considered not cryptographically weak.
I couldn't find any articles, tests etc to support such claim.
Post by David Wagner
Yarrow and Fortuna are for crunching semi-random values from many
entropy
Post by David Wagner
sources to generate a uniformly distributed cryptographic key. Is
that
Post by David Wagner
what you want?
Not really, thanks for the clarification.
Post by David Wagner
It sounded like you want a scheme that will take a short uniformly
distributed cryptographic key and generate a long stretch of
pseudorandom
Post by David Wagner
bits that are cryptographically secure. If so, I suggest you
consider
Post by David Wagner
AES-CTR, 3DES-CTR, or some such scheme.
exactly what I need. only problem is that I need low complexity (or
more specifically, good performance).
Guess I'd have to browse the code, or benchmark them...

thanks.
Nicholas Weaver
2005-01-19 17:12:03 UTC
Permalink
Raw Message
Post by izaqyos
exactly what I need. only problem is that I need low complexity (or
more specifically, good performance).
Good performance on WHAT? And what is "good".

You can nearly get a Gb out of AES-CTR mode on a high end desktop
microprocessor.
--
Nicholas C. Weaver. to reply email to "nweaver" at the domain
icsi.berkeley.edu
bob
2005-02-16 04:51:53 UTC
Permalink
Raw Message
Post by izaqyos
Post by David Wagner
AES-CTR, 3DES-CTR, or some such scheme.
exactly what I need. only problem is that I need low complexity (or
more specifically, good performance).
Guess I'd have to browse the code, or benchmark them...
thanks.
AES-CTR is very fast..Only about 3-5 times slower than LCG with some
benchmarks i did. I use them for MCMC simulations. As far as nonlinear
generators go, thats about as good as it gets for speed.

Remember that if you are going for the "proper" secure mode. Usually the key
is reseeded with the generator after a set of random bits are requested.
The counter is *not* reset. The idea is that each successive set of bits
(aka block) is more independent and the counter still guarantees a long
period. But then you are re-keying frequently with the appropriate
performance hit.


Genrally fast==insecure. These days we don't need to be so paranoid about
performance.

Greg

Loading...