[cryptography] Applications should be the ones [GishPuppy]
Jack Lloyd
lloyd at randombit.net
Fri Feb 17 15:14:26 EST 2012
On Fri, Feb 17, 2012 at 11:33:15AM -0800, Jon Callas wrote:
> Really?
>
> Let's suppose I've completely compromised your /dev/random and I
> know the bits coming out. If you pull bits out of it and put them
> into any PRNG, how is that not just Bits' = F(Bits) ? Unless F is a
> secret function, I just compute Bits' myself. If F is a secret
> function than the security is exactly the secrecy of F. Jon
Sorry, perhaps I wasn't clear that my reference was to having
additional entropy gathering code is also useful on platforms with a
/dev/random, because your PRNG output is
F(Bits from /dev/random || Bits from somewhere else).
So I suppose in some sense this coincides with your second case, as
one could view the above as F(Bits from /dev/random) where F is keyed
with an input chosen from a non-uniform distribution, and certainly I
concur that if you know or can easily guess both the entire output of
/dev/random and the complete results of whatever ad-hoc system
specific entropy gathering is available then you could in fact also
guess the PRNG output. And I concur that if you know the /dev/random
output then the security of the PRNG would rest entirely on the
conditional entropy of the ad-hoc polling -- which is precisely my
point as to why it is a useful approach, because it requires two
things to fail instead of just one.
Additionally there is a more plausible case than you know exactly what
bits my /dev/random will produce, which is that you know something
about the probability distribution of the output that distinguishes it
from uniform random. In that case, even F(Bits) could be useful if you
are compressing down in size (eg transforming 2*N bits of input into N
bits of key material).
-Jack
More information about the cryptography
mailing list