[erlang-questions] Multi-precision math, random number generator entropy, various other questions

Per Hedeland per@REDACTED
Mon Jun 1 00:29:07 CEST 2009


Will <wglozer@REDACTED> wrote:
>
>On Sun, May 31, 2009 at 2:04 PM, Per Hedeland <per@REDACTED> wrote:
>>
>> But anyway, I think the best answer was already given - use
>> crypto:rand_bytes/1 if you really need "crypto quality" random numbers.
>> The OpenSSL crypto library will use /dev/urandom and the like (depending
>> on availability) to seed a high-quality PRNG - i.e. you get something
>> that is a) portable and b) probably the best quality you *can* get on a
>> given OS/HW.
>
>FYI, crypto:rand_bytes/1 calls OpenSSL's RAND_pseudo_bytes() function.
>
>  http://openssl.org/docs/crypto/RAND_bytes.html.
>
>The Description section of the man page indicates that the output is not
>cryptographically strong.

It says "not necessarily", and in that context

> However the Return Values section says the
>output is strong when the return value is 1.

makes sense. I.e. basically they do the same thing, just that
RAND_bytes() "fails" if it can't provide cryptographically strong
numbers, RAND_pseudo_bytes() doesn't fail, just returns 1 anyway.:-)
(See the source for the default implementation of RAND_pseudo_bytes()
below.)

And this is similar to the difference between /dev/random and
/dev/urandom on systems where there is a difference - you can use
/dev/random if you absolutely must have "real" entropy, but be prepared
to wait forever.:-) Of course an interactive key-generating program has
other options, like aborting with an error message or asking the user to
do some random typing for a while, but a "system daemon" will generally
just have to make do with what it can get.

--Per

crypto/rand/md_rand.c:

        ret = RAND_bytes(buf, num);
        if (ret == 0)
                {
                err = ERR_peek_error();
                if (ERR_GET_LIB(err) == ERR_LIB_RAND &&
                    ERR_GET_REASON(err) == RAND_R_PRNG_NOT_SEEDED)
                        ERR_clear_error();
                }
        return (ret);


More information about the erlang-questions mailing list