Is /dev/random good enough to generate one-time pads?

Steve Reid steve at edmweb.com
Thu Nov 28 16:27:33 PST 1996


> > Subj sez it all.
> Yes, as a matter of fact it is.  /dev/random is based on an entropy pool
> taken from hardware interrupts and such, thus is a RNG, not a PRNG

I expect it would be "good enough", but it is not _perfectly_ random, and 
so it wouldn't be a true one-time pad.

Because it uses MD5, the bits are not all provably independent. You get 
(very strong) cryptographic security instead of perfect security.

The one-time pad is easy to explain in theory, but implementing it
perfectly is extremely difficult. Many people believe that quantum events
are the only source of perfect randomness, but most methods for harvesting
that randomness could introduce statistical properties. For example, a
radioactive substance may have exactly a 50% chance of emitting a particle
given a certain amount of time, but what happens if your timer isn't
perfect? 

One-way hashes are good at removing such obvious and not-so-obvious
statistical properties, but like a PRNG, you can't prove that the bits it
produces are all completely independent. It's definately "good enough",
but it's not perfect. 







More information about the cypherpunks-legacy mailing list