Re: [Monotone-devel] nvm.stripped versus botan

[Zack Weinberg]

On Sat, Jan 31, 2009 at 3:58 AM, Jack Lloyd <address@hidden> wrote:
> On Wed, Jan 21, 2009 at 03:18:34PM -0800, Zack Weinberg wrote:
>> ... there is no point in going to high-quality system entropy
>> sources for a 30-bit nonce in a file name, but if the Botan API
>> exposed a cheap thing that (for instance) took a bunch of
>> high-resolution timer samples and ran them through Fortuna, I'd
>> totally use that.
>
> ... in a branch I've added the ability to tell the PRNG approximately
> how much entropy you need it to be seeded with, which can speed up the
> polling quite a bit. Specifically if the request is <= 128 bits, the
> entire request will be serviced from /dev/*random (if it is around),
> which is pretty fast.
>
> On my Core2, I'm seeing seeding 1000 PRNGs with an estimated 64 bits
> of entropy each (consisting of rdtsc's output plus 8 bytes from
> /dev/random) take about .07 seconds.

That sounds like it would work, except that as an application writer
I'd rather think about "how many bits of what quality entropy I need
the PRNG to produce" rather than "how many bits of high-quality
entropy should I put into the PRNG to get it going".

For instance, the temporary file creator uses 30-bit nonces; in normal
use there will be only one nonce generated per call to the function;
and the attacker work factor should be 2**15 (brute force birthday
attack on 30 bits).  So there's an upper bound of 30 bits of true
entropy per call, but I doubt even that much is truly necessary.

zw