excessive usage of /dev/random?

[Peter Gutmann]

"Robert J. Hansen" <rjh at sixdemonbag.org> writes:

>I thought BBS had a proof of security related to the difficulty of the
>quadratic residuosity problem.  Given how close that is to IFP, BBS seems to
>be as secure as RSA, which is good enough for my purposes.  ;)

Yeah, and that's its sole feature, that you can say it has "provable
security".  Apart from that it's really slow, awkward, and hard to implement.
In terms of practical security, it's probably no better than a decent HMAC-
based PRF, while having all of the above drawbacks.

Peter.