Cicero (cicero@redneck.efga.org)
15 Jul 1998 19:48:42 -0000
Bram wrote:
<snip>
>
>> With the current state of technology, sufficient entropy would be 80
>> to 160 bits, depending on the threat model.
>
>When is it either one? If an application is getting fed strings which only
>contain small amounts of entropy, it's necessary to set up two PRNGs, the
>first one of which simply acts as a collection area for entropy, it's
>output being fed into the 'main' PRNG which is used for output. How much
>new entropy should one wait to be put into the collection area before
>using it to reseed main, 80 or 160 bits?
>
The figures of 80 and 160 are rough off-hand guesses, which are a
statement about the estimated strength of threat models. The lower
figure of 80 bits was mentioned in the recent report by numerous (7?
or 11?) cryptographers on key-strength, as being quite good for not
terribly sensitive commercial data. The upper bound is well above the
current brute force limit for the human race for some years yet (as
would even 128 probably be also).
As David Wagner just pointed out, if you add less entropy than will
overwhelm your threat model between 2 outputs, then that update is at
risk from attack.
Cicero
The following archive was created by hippie-mail 7.98617-22 on Fri Aug 21 1998 - 17:20:25 ADT