# Re: randomdev entropy gathering is really weak

```Kris Kennaway wrote:
>
> On Sat, 22 Jul 2000, Jeroen C. van Gelderen wrote:
>
> > You don't care in practice, 256 bits are unguessable.
>
> Actually, I do..that's the entire point of using long keys.

I agree that you need long RSA keys ... but the real
the overall complexity of attacking the key:

The complexity of factoring a 1024-bit RSA keys is on the
order of 2^71 operations. For a 3214-bit key it is roughly
equivalent to 2^101 complexity. (See [1][2] for gloriously
arcane details.)

Now, assuming that you generate a 3214-bit RSA key from a
256-bit entropy pool, the complexity of factoring it (2^101)
is much lower than the complexity of guessing the entropy
pool from which it was generated (2^256); Actually, factoring
is the most efficient attack up to the point where you are
using something like a 13841-bit RSA key[3].

So, for practical key purposes Yarrow-256 is in excess of
complexity requirements. (I can't say anything about other
uses than crypto but seeing as the promise of /dev/random
is cryptographically secure random numbers this should not
pose a problem.)

That said, there is nothing to prevent the system admin
from tweaking the Yarrow security parameters so that
Yarrow will only spit out as many bits or pseudo-randomness
as it gathers bits of entropy.[4]

Check out http://www.cryptosavvy.com/table.htm and preferrably
the full paper at http://www.cryptosavvy.com/cryptosizes.pdf
if you remain unconvinced :-)

Cheers,
Jeroen

[1] Numbers from http://www.cryptosavvy.com/table.htm .

[2] Yes, this sortof means that using >= 128-bit keys is
overkill for most applications that use assymmetric
algorithms for key-negotiation :-)

[3] http://www.cryptosavvy.com/suggestions.htm

[4] And if you really would like to restore the old semantics
of /dev/[u]random, you could code it into Yarrow. Just
make /dev/random block based on the entropy estimation
that Yarrow keeps anyway.

--
Jeroen C. van Gelderen          o      _     _         _
[EMAIL PROTECTED]  _o     /\_   _ \\o  (_)\__/o  (_)
_< \_   _>(_) (_)/<_    \_| \   _|/' \/
(_)>(_) (_)        (_)   (_)    (_)'  _\o_

To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message
```