yarrow unix source

Adam Back adamb at zeroknowledge.com
Fri Feb 25 12:10:38 EST 2000 

Hi guys

We at ZKS were also interested in yarrow under unix.  However the
implementation that counterpane have on their web page doesn't correspond to
the paper -- it is a pretty different design.

Also the windows code is hairy in the extreme -- I decided to reimplement it
from scratch from the paper, rather than try to look at that windows code too
much (yeuch!).  And in writing from the paper, this is when I found that
contrary to expectations from reading their webpage, the code is completely
unrelated to the paper.

I asked them about this discrepency and apparently there was a previous
version of the paper with a different design.  However they don't reference
the previous paper at all on their web page.

I suggested they should mention that there is a difference as people will be
using the code under false assumptions about it's design, and they've done
this now.

So I have some nice, clean unix source code for the new yarrow design, which
we're going to release under BSD or other open license, asap.

Personally I would like to see yarrow used as a replacement for /dev/urandom,
plus of course for randomness drivers with hooks into the kernel made
available under more OSes so that people can start to depend on the
availability of a good RNG.

However there is a problem with the current yarrow design which is that there
is no easy way to integrate it into /dev/[u]random.  You can replace
/dev/urandom with yarrow, but you can't replace /dev/random, and it can be
dangerous sharing entropy sources between /dev/random and yarrow --
/dev/random has different properties -- it is designed to offer information
theoretic security, where as /dev/urandom and yarrow are design to offer a
cryptographic PRNG, with computational security.

I'm talking to the authors of the paper trying to motivate a new design which
can safely be integrated to provide to interfaces: information theoretic
(/dev/random) and computational (/dev/urandom).

So I would suggest that you hold off on using the old yarrow design as the
new design is stronger.  The new design has two pools which offers slow
strong reseeds, and fast intermediate strength reseeds to recover from state
compromise both strongly and as soon as possible.

(I first found out about the interest in a unix version of yarrow for openssh
from an email Bruce Schneier forwarded me from Andre Lucas
<andre.lucas at dial.pipex.com> asking if Counterpane had such code.

Adam

More information about the openssh-unix-dev mailing list