[5217] in cryptography@c2.net mail archive
Re: depleting the random number generator
daemon@ATHENA.MIT.EDU (James A. Donald)
Mon Jul 26 13:16:06 1999
Date: Mon, 26 Jul 1999 06:40:25 -0700
To: daw@cs.berkeley.edu (David Wagner), cryptography@c2.net
From: "James A. Donald" <jamesd@echeque.com>
In-Reply-To: <7nft8f$25o$1@blowfish.isaac.cs.berkeley.edu>
--
At 01:49 PM 7/25/99 -0700, David Wagner wrote:
> > One nice advantage of using RC4 as a nonce generator is that you can
easily
> > switch back and forth between key setup and code byte generation. You can
> > even do both at the same time. (There is no need to reset the index
> > variables.) This allows you to intersperse entropy deposits and
withdrawals
> > at will.
Arnold G. Reinhold <reinhold@world.std.com> wrote:
> Oh dear! This suggestion worries me.
> Is it reasonable to expect this arrangement to be secure
> against e.g. chosen-entropy attacks?
Yes: If the attacker knows exactly when the packets arrive (which he
cannot) this cannot give him any additional knowledge about the state.
The worst case is that the attacker does not lose any information.
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
GwzRjnRrKYJu2r1GIGDbMcu4BUlTzkvCgsPsse1R
4zW/Nuta5TAkUWJiaYK+pxqBFNK6i8MzCczPKz24u
