Sunday, April 8, 2007

Welcome to the Fortuna Blog

Hi,

I wrote an implementation of the Fortuna PRNG by Ferguson and Schneier about 3 years ago. I get a lot of hits to the web pages, but never get any feedback. I thought I would start this blog to provide a convenient means to discuss the Fortuna PRNG in general and/or my implementation of the Fortuna PRNG in particular.

Every 6 months or so someone writes me asking for permission to use the code, and I have made it available for any commercial or non commercial purpose.

I'd like to hear from anyone who has used it in any way, or has any comments / criticisms of the design. I know it creates a lot of threads, one for each source and one for each process, but the threads don't do much work. It seemed like an elegant design at the time, but if I did it again I'd likely just have one thread fo r the sources, one thread for the pools, and one thread for the main generator.

I'd also be interested in hearing what people think about using RDTSC (the time stamp counter from the cpu) as a source of something that is difficult to predict. Using this wrapped around system calls seems to me to provide a good source of bytes that are difficult to predict. I'm not an electrical engineer, but from the reading I've done it looks like a common approach to generating pseudo random numbers is to use a fast timer to sample a slow timer.

Also, I'm interested in any feedback regarding using the Windows registry as a source of data. While I realize that the registry is mostly static, due to the design of the prng it's difficult to predict what data will end up in each pool, and also using the RDTSC timer around the registry calls seems like a good source of bytes that are difficult to predict, because the registry is a shared system resource. So as other applications on the machine reference the registry, the threads from the prng block until the data can be read. In this way the other processes influence the timing of the registry access.

I'd also like to discuss other sources of quantities that are difficult to predict. For example, downloading random web pages, using dns (for the timing info), using the pc's microphone etc.

I'd really welcome any comments on these thoughts.

Thanks!

Ron

Citadel Software Inc
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)