random number quality

Simon Josefsson jas@extundo.com
Sun, 29 Sep 2002 19:53:07 +0200


What is the difference between the three random number quality levels?

The comment in the header only says what to use the different levels
for, but I think this is too vauge.  Stating that e.g. WEAK numbers
uses a algorithm from Knuth or something, STRONG uses cryptographic
random numbers but does not stall the program waiting for the random
number pool to contain enough entropy, and the VERY_STRONG uses
cryptographic entropy and stalls the program waiting for enough
entropy to become available would be clearer (of course, only if this
is how it is implemented, I didn't look but this is how I would want
it to work).

/* The possible values for the random quality.  The rule of thumb is
   to use WEAK for random number which don't need to be
   cryptographically strong, STRONG for session keys and VERY_STRONG
   for key material. */
enum gcry_random_level
  {
    GCRY_WEAK_RANDOM = 0,
    GCRY_STRONG_RANDOM = 1,
    GCRY_VERY_STRONG_RANDOM = 2
  };

Thanks.