[16698] in cryptography@c2.net mail archive
Re: entropy depletion
daemon@ATHENA.MIT.EDU (Steven M. Bellovin)
Wed Jan 26 19:02:29 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
From: "Steven M. Bellovin" <smb@cs.columbia.edu>
To: cryptography@metzdowd.com
Date: Tue, 11 Jan 2005 10:58:03 -0500
Let me raise a different issue: a PRNG might be better *in practice*
because of higher assurance that it's actually working as designed at
any given time.
Hardware random number generators are subject to all sorts of
environmental issues, including stuck bits, independent oscillators
that aren't independent, contamination by power line frequency noise,
etc. By contrast, a correct implementation of a cryptographic
algorithm will always function correctly. (Yes, there could be an
undetected hardware fault. Run it three times, on different chips....)
To me, the interesting question about, say, Yarrow is not how well it
mixes in entropy, but how well it performs when there's essentially no
new entropy added. Clearly, we need something to see a PRNG, but what
are the guarantees we have against what sorts of threats if there are
never any new true-random inputs? (Remember the purported escrow key
generation algorithm for Clipper? See
http://www.eff.org/Privacy/Newin/Cypherpunks/930419.denning.protocol
for details. The algorithm was later disavowed, but I've never been
convinced that the disavowal was genuine.)
--Prof. Steven M. Bellovin, http://www.cs.columbia.edu/~smb
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
