Kris Kennaway wrote:
> On Sat, 22 Jul 2000, Jeroen C. van Gelderen wrote:
> > You don't care in practice, 256 bits are unguessable.
> Actually, I do..that's the entire point of using long keys.

I agree that you need long RSA keys ... but the real 
discussion isn't really about key length but rather about 
the overall complexity of attacking the key:

The complexity of factoring a 1024-bit RSA keys is on the
order of 2^71 operations. For a 3214-bit key it is roughly 
equivalent to 2^101 complexity. (See [1][2] for gloriously 
arcane details.)

Now, assuming that you generate a 3214-bit RSA key from a 
256-bit entropy pool, the complexity of factoring it (2^101) 
is much lower than the complexity of guessing the entropy
pool from which it was generated (2^256); Actually, factoring 
is the most efficient attack up to the point where you are 
using something like a 13841-bit RSA key[3].

So, for practical key purposes Yarrow-256 is in excess of 
complexity requirements. (I can't say anything about other 
uses than crypto but seeing as the promise of /dev/random 
is cryptographically secure random numbers this should not 
pose a problem.)

That said, there is nothing to prevent the system admin 
from tweaking the Yarrow security parameters so that 
Yarrow will only spit out as many bits or pseudo-randomness 
as it gathers bits of entropy.[4]

Check out and preferrably
the full paper at
if you remain unconvinced :-)


[1] Numbers from .

[2] Yes, this sortof means that using >= 128-bit keys is 
    overkill for most applications that use assymmetric
    algorithms for key-negotiation :-)


[4] And if you really would like to restore the old semantics
    of /dev/[u]random, you could code it into Yarrow. Just 
    make /dev/random block based on the entropy estimation 
    that Yarrow keeps anyway.

Jeroen C. van Gelderen          o      _     _         _
[EMAIL PROTECTED]  _o     /\_   _ \\o  (_)\__/o  (_)
                      _< \_   _>(_) (_)/<_    \_| \   _|/' \/
                     (_)>(_) (_)        (_)   (_)    (_)'  _\o_

To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message

Reply via email to