Entropy Accumulation Time Calculator
Cryptographic key generation must not begin until enough genuine entropy has accumulated to seed the random number generator at full strength. This calculator estimates how long an entropy pool takes to reach a target number of full-entropy bits, given the conservative collection rate of your source in bits per second. It reports the accumulation time, the effective security strength reached, and the deficit if the source is too slow. Use your conditioned full-entropy rate, not the raw sample rate, because debiasing discounts most raw bits.
Entropy accumulation formula
Accumulation time (s) = target entropy bits / collection rate
Accumulation time (min) = time in seconds / 60
Effective security = min(target entropy, algorithm strength)
Bits per minute = collection rate * 60
Effective security is capped at the smaller of the entropy you collect and the strength of the algorithm: under-seeding limits real strength no matter how long the key is.
Entropy seeding context
- A 128-bit security level requires at least 128 bits of full entropy; a 256-bit level requires 256 bits.
- Conditioning and debiasing discount raw hardware bits to a fraction of a true entropy bit, so the conservative full-entropy rate is what matters.
- Freshly booted virtual machines can block on entropy because interrupt-based collection is slow when the system is idle.
- A hardware noise source delivers a steady full-entropy rate independent of CPU clock speed.
- NIST SP 800-90A and SP 800-90B describe seed construction and entropy source validation.
Entropy accumulation: frequently asked questions
What is an entropy pool?
An entropy pool is a buffer where an operating system accumulates unpredictable bits gathered from hardware events such as interrupt timings, mouse movement, and disk seek jitter. A random number generator draws from this pool to seed a cryptographically secure pseudorandom generator. NIST SP 800-90A and related standards describe how seeds are derived from accumulated entropy.
How is accumulation time calculated?
Time equals the target entropy in bits divided by the collection rate in bits per second. If you need 256 bits of entropy and your source provides 50 bits per second, you need 256 divided by 50, which is 5.12 seconds. This assumes each collected bit contributes full entropy, which conservative designs do not assume.
How much entropy does a secure seed need?
A 128-bit security level needs at least 128 bits of full entropy and a 256-bit level needs 256 bits. NIST guidance treats the security strength as the minimum of the entropy collected and the algorithm strength, so under-seeding caps the effective strength regardless of key length.
Why might real collection be slower than advertised?
Raw hardware events are often debiased and conditioned, which discounts each raw bit to a fraction of a true entropy bit. A source advertising 1,000 raw bits per second may only deliver a small fraction as conditioned full-entropy bits. Enter your conservative estimated rate, not the raw sample rate.
Does a faster CPU collect entropy faster?
Not necessarily. Entropy depends on genuine physical unpredictability, not clock speed. A dedicated hardware RNG with a noise source delivers a steady full-entropy rate, while interrupt-based collection on an idle machine can be very slow. This is why freshly booted virtual machines can block on entropy.
Official sources
- NIST: SP 800-90A Recommendation for Random Number Generation.
- NIST: Computer Security Resource Center: entropy glossary.
Reviewed by the CalculatorHub team, edited by James Graham, 17 June 2026. See our methodology.