>From: William Allen Simpson <[EMAIL PROTECTED]>
>Sent: Jan 11, 2005 1:48 PM
>To: cryptography@metzdowd.com
>Subject: Re: entropy depletion

>Ben Laurie wrote:
>> Surely observation of /dev/urandom's output also gives away information?
>ummm, no, not by definition.

> blocks on insufficient estimate of stored entropy
>  useful for indirect measurement of system characteristics
>  (assumes no PRNG)

>  blocks only when insufficient entropy for initialization of state
>  computationally infeasible to determine underlying state
>  (assumes robust PRNG)

So, the big issue here is that  we're counting on a cryptographic algorithm to 
both provide full entropy outputs and to mask the different outputs from one 
another.  There's no guarantee that it can do either.  That is, even if another 
160 bits of entropy have been put into the pool, there's no guarantee that 
there will be no relationship between the next 80 bit output and the last one.  
That depends on your beliefs about SHA1, and about unproven properties of it. 
(It's been a long time since I've looked at the algorithm used by /dev/random, 
but I think there are some narrow pipe issues there which might limit the total 
entropy that can affect a sequence of outputs from a sequence of inputs.)  

>William Allen Simpson

--John Kelsey

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to