bram wrote:
> > > Most of the fancy reseedable PRNG schemes people have come up with are
> > > based on using secure hashes.
> >
> > They are sure validated, but are they the best we can do? MD5, the
> > nonplusultra, really?
>
> The main reason for secure hashes being the primary primitive used for
> PRNGs is that they can 'add' entropy together quite effectively.
I don't think so. There are lots of cheaper ways to combine things
and get a nice entropic output, given a decent pool. Using a secure
hash gives you three advantages:
It depends on a large portion of the pool, which is definitely good
but not, I think, an absolute requirement. Something that used a
smaller portion of the pool might be OK provided it used enough and
met other requirements.
It reveals nothing useful about the state of the pool. There is no
known way for anyone to infer pool state, and therefore future
output, from previous outputs. This is the critical one.
The hash algorithms used have been pretty thoroughly analysed.
