Random Seed for Generating PGP Keys

Robert J. Hansen rjh at sixdemonbag.org
Wed May 27 16:29:01 CEST 2015 

> number it generates. I know that a CSPRNG is supposed to make this 
> cryptographically secure, but (and correct me if I'm wrong) it seems 
> that some one-time offline truly random process (like rolling a
> thousand non-biased coins by a no-biased person) is guaranteed to be
> more random than any HWRNG or software RNG that might actually have
> correlations you're not aware of.

This is not true.  A flipped coin has a very slight bias for the side
that was up when it was flipped.  Dice have subtle irregularities that
predispose them towards certain numbers and away from others.  Not even
quantum effects are truly random -- although the underlying effect may
be, the measuring apparatus by which we monitor the event will always
introduce hidden bias.  People have even managed to show bias in Geiger
counters (!!).

Software has problems, yes.  So too do manual processes.  And generally
speaking, competently-designed hardware or software solutions beat the
living daylights out of manual processes.  You can demonstrate the bias
of a flipped coin with nothing more than a couple of very boring days
spent flipping coins and some pen-and-paper work; demonstrating bias in,
say, an ANSIX9.17 RNG takes quite a lot more.

> (1) Is there a way to seed the random number generators used by
> GnuPG with a one-time manually entered seed?

Not really, no.

> (2) Is there a way to seed any of the random number generators
> people have mentioned in this thread, with a one-time manually
> entered seed?

Sure.  Most CSPRNGs permit you to specify the initial seed.

> (3) Is there a way to have GnuPG use a different random number
> generator like he ones people mentioned on this thread?

Not unless you hack the source.

> (4) Of the random number generators mentioned in this thread, which
> are cryptographically secure?

Can't be answered.  Whenever talking about cryptographically secure
PRNGs, you have to specify the operating assumptions.  Even something
with a proof of security attached (like Blum Blum Shub) you have to
specify the assumptions involved.  For instance, with Blum Blum Shub the
assumption is "the Integer Factorization Problem is intractable."

More information about the Gnupg-users mailing list