True RNG and GnuPG / libgcrypt

Charles Swiger cswiger at
Thu Oct 3 00:49:21 CEST 2013


On Oct 2, 2013, at 12:54 PM, Matthias-Christian Ott <ott at> wrote:
> On 09/26/13 04:45, NIIBE Yutaka wrote:
>> For me, it will be simple and solid if we can use the output of an RNG
>> device directly, for key generation operation of GnuPG, given the
>> condition where such an RNG device has best quality.
>> I mean, it would be good to have an interface which allows using RNG
>> device directly (even if /dev/random is available).
> That is a bad idea. How much “true randomness” per bit does NeuG
> generate? If this is less than 1.0, you could weaken security. For
> example with (non-deterministic) DSA you could leak parts of the private
> key, if the attacker can predict partially predict the output of the
> random number generator with a model of the device. So you can't simply
> read 128 bit of output from the random number generator, use it directly
> as the key and assume that your key provides “128 bit security”. You
> probably have to read a lot more and then compress the data with a hash
> function.

Indeed, putting a hopefully-strong (but maybe not) RNG or PRNG behind a hash
function like AES-256 is the notion which algorithms like Yarrow and Fortuna
use, and which FreeBSD and MacOS X in turn use for our /dev/random devices:

It might be nice to accurately know whether a platform provides a trustworthy
and genuinely random /dev/random, but there is no reason preventing GnuPG /
libcrypt from doing Fortuna in userspace (aside spending some extra
memory and CPU resources) so that it doesn't have to trust the quality
of /dev/random.


More information about the Gnupg-devel mailing list