[13217] in cryptography@c2.net mail archive
Re: Randomness
daemon@ATHENA.MIT.EDU (Paul Onions)
Wed May 7 13:47:54 2003
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
From: Paul Onions <paul_onions@siliconinfusion.com>
To: cryptography@metzdowd.com
Date: Wed, 7 May 2003 12:39:41 +0100
In-Reply-To: <3EB68874.80807@algroup.co.uk>
On Monday 05 May 2003 4:51 pm, Ben Laurie wrote:
> People might be interested in a paper I've written on randomness:
> http://www.apache-ssl.org/randomness.pdf. Comments, as always, are more
> than welcome.
>
> Cheers,
>
> Ben.
Interesting article, certainly gets one thinking! One point though. Quoting
from the top of page 6:-
Another question is how much state should be shared between the various
different APIs. If one assumes the PRNG is secure, then this seems to be
easily resolved: they can all share all the state, except insecureprng(),
which requires less conditional entropy. Once there is sufficient entropy
for the other APIs to start working, then even insecureprng() can share
their state.
Can insecureprng() really share the same state as the secure PRNGs? Since
there is no requirement for unpredictability it would seem that an instance
of insecureprng() that leaks the internal state is not disallowed. So maybe
it's possible for an adversarial process to reconstruct the internal state
from calls to insecureprng(), and then effectively know the answers that will
be given to the queries by other processes to the secure PRNGs (or at least
acquire enough information to be able to restrict the search for the secure
PRNG seeds).
I guess it all depends on the system as designed and implemented, so maybe
some kind of (formal) model is needed to describe such a system (allowing one
to derive its security properties from the model).
Regards,
Paul(o)
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
