[19883] in cryptography@c2.net mail archive
Re: EDP (entropy distribution protocol), userland PRNG design
daemon@ATHENA.MIT.EDU (Eric Rescorla)
Wed Feb 8 11:15:28 2006
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
To: "Travis H." <solinym@gmail.com>
Cc: cryptography@metzdowd.com
Reply-To: EKR <ekr@rtfm.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Sat, 04 Feb 2006 22:19:16 -0800
In-Reply-To: <d4f1333a0602041937h5394c287v1bf3b8c0809590f8@mail.gmail.com> (Travis
H.'s message of "Sat, 4 Feb 2006 21:37:41 -0600")
"Travis H." <solinym@gmail.com> writes:
> On 2/4/06, Eric Rescorla <ekr@rtfm.com> wrote:
>> Look, this design just reduces to a standard cryptographic PRNG with
>> some of the seed being random and periodically being reseeded by the
>> "random" network stream you're sending around. There's no need to
>> worry about the integrity or confidentiality of the "random" stream
>> because anyone who controls the network already knows this input. The
>> only information they don't have is your "random" private key.
>
> How do you figure? If the random stream conveys 1kB/s, and I'm
> reading 1kB/s from /dev/random, and the network traffic is not
> observed, then I am not stretching the bits in any way, and the result
> should be equivalent to reading from the HWRNG, right?
Well, for starters the assumption that nobody is monitoring the
network traffic is in general unwarranted.
However, the equivalence (or lack thereof) to a HWRNG depends entirely
on the details of the mixing function in /dev/random, network
buffering, etc. But since /dev/random is basically a PRNG, it's
not clear why you think there's any difference between your and
my designs.
-Ekr
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
