On Sat, Apr 02, 2022 at 12:44:42PM +0800, Sandy Harris wrote: > Yarrow is a good design, but it has limitations; in particular > the Yarrow paper says the cryptographic strength is limited > to the size of the hash context, 160 bits for their SHA-1 & > 512 for our Blake. > > 512 bits is more than enough for nearly all use cases, but > we may have some where it is not. How many random bits > are needed to generate a 4k-bit PGP key? > > Will some users try to generate one-time pads from /dev/random? > The OTP security proof requires truly random data as long as the > message; with anything short of that the proof fails & you get > a stream cipher. All the data from /dev/{u,}random is generated by ChaCha20, which is a 256-bit stream cipher. We don't target, or need to target, more than 256-bit security. So the entropy pool itself doesn't need to be more than 256 bits, provided that it is implemented properly using a cryptographic hash function, which it now is. - Eric