At 03:46 AM 7/19/99 -0400, Enzo Michelangeli wrote:
>Sorry folks, but I can't understand where the problem is supposed to be. The
>entropy of a pool is a measure of the information about its internal state
>that we don't know: which is why in thermodynamics the same name is given to
>the logarithm of the number of (invisible) microstates corresponding to an
>(observed) macrostate. Now: if we extract bits from the generator, we cannot
>gain insight over the internal state and its evolution, because on the
path of
>a well-designed RNG there is a one-way function whose inversion is not
>computationally feasible. If we can't increase our knowledge of the internal
>state, the entropy of the pool is not depleted at all; in particular, we
don't
>gain any information about the bits that the next requestor (i.e., the
victim
>of the attack) will get.
>
>Am I missing something?
>
>Enzo
Admittedly it may sound religious to claim that physical entropy
matters, when no one can tell the difference between true random & prng
bits (without the prng 'key'). But a prng *is* crackable
if you infer the internal state. Yes, this should be
infeasable. But the crypto-uses require fully unguessable
bits. Otherwise you could use a one-time-seeded prng and turn
the crank without bothering to reseed.
