On Sun, 25 Jul 1999, John Kelsey wrote:
> Has anyone looked at this from a cryptanalytic point of
> view? I think there are chosen-input attacks available if
> you do this in the straightforward way. That is, if I get
> control over some of your inputs, I may be able to alternate
> looking at your outputs and sending in new inputs, and mount
> an attack that isn't possible at all against RC4 as it's
> normally used. (This comes out of conversations with Jon
> Callas, Dave Wagner, and Niels Ferguson, from a time when I
> considered designing a Yarrow-variant using RC4 as the
> underlying engine.)
I thought about building SRNG's from several different cryptographic
primitives, and came to the conclusion that the chosen-entropy attacks
force it to be based on a secure hash. Since the design I figured out
looks very much like yarrow, we probably had thoughts along the same
lines.
> This isn't a bad idea, but I'd be careful about assuming
> that those times hold much entropy. After all, a given
> piece of code which has thirty calls to the PRNG probably
> runs in about the same amount of time every time, barring
> disk or network I/O.
A lot of things include less entropy than one might assume. For example,
keystrokes contain essentially no entropy based on what letter was hit,
and the number of bits of entropy their timing includes is approximately
the logarithm of the number of time ticks since the last keystroke. (which
means, interestingly enough, that you can get faster entropy harvesting by
having a more precise clock.)
-Bram
