On Sat, 17 Jul 1999, Eugene Leitl wrote:
> bram writes:
>
> > Most of the fancy reseedable PRNG schemes people have come up with are
> > based on using secure hashes.
>
> They are sure validated, but are they the best we can do? MD5, the
> nonplusultra, really?
The main reason for secure hashes being the primary primitive used for
PRNGs is that they can 'add' entropy together quite effectively.
People mostly seem to talk about SHA-1 being used for it, although
RIPEMD-160 has the same hash length (and, I believe, the same block size)
so they're basically substitutable. The main unnecessary performance hit
is that those algorithms aren't optimized for hashing blocks of the same
length as their output - they're designed for much longer things. I don't
know if anyone's using that as a criterion for new secure hash functions,
although they probably should. Truth be known, though, applications which
do network interaction and public key functions never bottleneck on their
random number generation, and yarrow even at it's most conservative is
never worse than a third the speed of the standard /dev/random anyway.
-Bram
