[5220] in cryptography@c2.net mail archive
Re: depleting the random number generator
daemon@ATHENA.MIT.EDU (bram)
Mon Jul 26 14:23:56 1999
Date: Mon, 26 Jul 1999 10:18:05 -0700 (PDT)
From: bram <bram@gawth.com>
To: "James A. Donald" <jamesd@echeque.com>
Cc: David Wagner <daw@cs.berkeley.edu>, cryptography@c2.net
In-Reply-To: <199907261413.HAA22696@proxy3.ba.best.com>
On Mon, 26 Jul 1999, James A. Donald wrote:
> > Oh dear! This suggestion worries me.
> > Is it reasonable to expect this arrangement to be secure
> > against e.g. chosen-entropy attacks?
>
> Yes: If the attacker knows exactly when the packets arrive (which he
> cannot) this cannot give him any additional knowledge about the state.
The threat model for yarrow and other SRNG's is that the attacker can not
only tell when entropy is coming in, but control it's contents as well.
The idea is to build something which only fails if the attacker both knows
the state of the pool at some point and manages to control all attempted
reseedings.
-Bram
