I have 320 bits of seed data (actually 512 bits of data with 320 bits of entropy, derived from a Diffie-Hellman shared secret and nonces). The PRNG I am using at the moment is the android version of SHA1PRNG. As far as I can tell, it has 160 bits of internal state, and so any entropy over 160 bits would be wasted. Could I create two instances, seeding each with half the data, and combine them somehow? The obvious possibilities would be to alternate which PRNG I pull each byte from, or to XOR the two streams together, but I don't know how that would affect the total entropy.
Asked
Active
Viewed 813 times
2 Answers
3
Why are you afraid of "overseeding" the PRNG? The Java SecureRandom class specifies the setSeed function as:
public void setSeed(byte[] seed)
So just feed the 320 bits (40 bytes) data to the setSeed function and it will supplement the existing seed. Leave the compression into the state to the underlying SecureRandom implementation.
[EDIT1]
Note that the SHA1PRNG implementation simply uses the new seed in a message digest update, and that message digest is SHA-1, hence the 160 bit state.
[EDIT2]
Note that it may depend on the entropy source if the entropy represents 320 bits of true random data. The initial compression of the seed data will make sure that any random entropy from the entropy source is used.
Another reason to combine to PRNG's is when the PRNG algorithm is not fully trusted. In that case it is much better to switch to another PRNG. If one is vulnerable the other one will be vulnerable as well.
It is better to re-seed the PRNG more often if there is entropy to spare.
Maarten Bodewes
- 96,351
- 14
- 169
- 323
1
If your PRNG expects a 160-bit seed, and you have 320 bits of seed data, you can hash the seed data, then use the result as your seed for the PRNG.
D.W.
- 36,982
- 13
- 107
- 196