Re: Is /dev/random good enough to generate one-time pads?
Subj sez it all. Yes, as a matter of fact it is. /dev/random is based on an entropy pool taken from hardware interrupts and such, thus is a RNG, not a PRNG
I expect it would be "good enough", but it is not _perfectly_ random, and so it wouldn't be a true one-time pad. Because it uses MD5, the bits are not all provably independent. You get (very strong) cryptographic security instead of perfect security. The one-time pad is easy to explain in theory, but implementing it perfectly is extremely difficult. Many people believe that quantum events are the only source of perfect randomness, but most methods for harvesting that randomness could introduce statistical properties. For example, a radioactive substance may have exactly a 50% chance of emitting a particle given a certain amount of time, but what happens if your timer isn't perfect? One-way hashes are good at removing such obvious and not-so-obvious statistical properties, but like a PRNG, you can't prove that the bits it produces are all completely independent. It's definately "good enough", but it's not perfect.
-----BEGIN PGP SIGNED MESSAGE----- On Thu, 28 Nov 1996, Steve Reid wrote:
Subj sez it all. Yes, as a matter of fact it is. /dev/random is based on an entropy pool taken from hardware interrupts and such, thus is a RNG, not a PRNG
I expect it would be "good enough", but it is not _perfectly_ random, and so it wouldn't be a true one-time pad.
Because it uses MD5, the bits are not all provably independent. You get (very strong) cryptographic security instead of perfect security.
The one-time pad is easy to explain in theory, but implementing it perfectly is extremely difficult. Many people believe that quantum events are the only source of perfect randomness, but most methods for harvesting that randomness could introduce statistical properties. For example, a radioactive substance may have exactly a 50% chance of emitting a particle given a certain amount of time, but what happens if your timer isn't perfect?
One-way hashes are good at removing such obvious and not-so-obvious statistical properties, but like a PRNG, you can't prove that the bits it produces are all completely independent. It's definately "good enough", but it's not perfect.
One the same note, I must say that implimentation of OTP perfectly is impossible; you can _never_ prove you have truly random numbers. The point is that if the numbers are reasonably independant of each other (i know -- sortof a contradiction) then they are, as you said, good enough. The real problem with OTP is still key exchange ;) --Deviant PGP KeyID = E820F015 Fingerprint = 3D6AAB628E3DFAA9 F7D35736ABC56D39 All extremists should be taken out and shot. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBMp5lHzCdEh3oIPAVAQEFxQf9EYQtOcxuNCyHE0VN309pT4ZqHiOCmDHK +rxy6/M9EDJSywJTd7GC/cVwenHBiR7PjSpJ4tWxTvRrcM58BcF6x0BqSioDpUCj MBOW+SqYSRtUSEdvdNwdrqKfbZbOQK9dkZ9Dznczj5OKacUJKHdb1A1bfPQPDMh8 1YaOUXTHlcXqX6bOMZ+4Jt2JT8A7dI2EJUxuWIwF3nDyaLW7m8qi5w6k1090Y/3x 4lQinZQIcGZ57J57UP+JfzssbM5RnbVgJTxT+VSVf9QrxrHmZfQTJo0uJ2qC0NwS LPaNT8eQ6MEWdFJMEI4bGNMWec4yw/3UhKHhAPVkT51Teap3DzIeAQ== =tx76 -----END PGP SIGNATURE-----
participants (2)
-
Steve Reid -
The Deviant