[5153] in cryptography@c2.net mail archive
RE: depleting the random number generator
daemon@ATHENA.MIT.EDU (David Honig)
Mon Jul 19 22:59:51 1999
Date: Mon, 19 Jul 1999 09:26:29 -0700
To: Enzo Michelangeli <enzom@MailAndNews.com>, Ben Laurie <ben@algroup.co.uk>
From: David Honig <honig@sprynet.com>
Cc: cryptography <cryptography@c2.net>, John Denker <jsd@research.att.com>
In-Reply-To: <37B41916@MailAndNews.com>
At 03:46 AM 7/19/99 -0400, Enzo Michelangeli wrote:
>Sorry folks, but I can't understand where the problem is supposed to be. The
>entropy of a pool is a measure of the information about its internal state
>that we don't know: which is why in thermodynamics the same name is given to
>the logarithm of the number of (invisible) microstates corresponding to an
>(observed) macrostate. Now: if we extract bits from the generator, we cannot
>gain insight over the internal state and its evolution, because on the
path of
>a well-designed RNG there is a one-way function whose inversion is not
>computationally feasible. If we can't increase our knowledge of the internal
>state, the entropy of the pool is not depleted at all; in particular, we
don't
>gain any information about the bits that the next requestor (i.e., the
victim
>of the attack) will get.
>
>Am I missing something?
>
>Enzo
Admittedly it may sound religious to claim that physical entropy
matters, when no one can tell the difference between true random & prng
bits (without the prng 'key'). But a prng *is* crackable
if you infer the internal state. Yes, this should be
infeasable. But the crypto-uses require fully unguessable
bits. Otherwise you could use a one-time-seeded prng and turn
the crank without bothering to reseed.
