excessive usage of /dev/random?
Robert J. Hansen
rjh at sixdemonbag.org
Sat May 2 07:54:48 CEST 2015
> One assertion (from Robert J. Hansen) implies that a "high school
> math overview of large number theory" suggests that it may well be
> reasonable to require 2400 bits of entropy to generate a 2048-bit RSA
And unreasonable, too. I specifically said that I couldn't use it to
argue one side or another, but rather it illuminated the uncertainty of
both sides. A capsule summary is below.
> The other assertion (From Peter Gutmann) says that it's not
> necessary (with a sarcastic allusion to "numerology")...
I concur with Peter's assessment that it's numerology. :)
> 1) key generation routines for these problems need an unpredictable
> source of entropy with which to search the space of possible values
> to produce a proper secret key.
A 2048-bit number as used in RSA has ~2028 shannons of uncertainty (due
to not every number being prime). To sort through 2028 shannons of
uncertainty using the general number field sieve requires approximately
2^112 work. (*Approximately*.) So I see an enormous disconnect between
the uncertainty of the prime and the work factor that goes into breaking
We talk about how a key has so many shannons of entropy, but the reality
is different: it has so much equivalent work factor. If we reduce the
uncertainty of the prime to a "mere" 112 shannons, will that affect the
work factor for the GNFS?
I don't know, and I don't trust my sense of large number theory enough
to even have a good guess.
More information about the Gnupg-users