On Fri, Feb 17, 2012 at 11:33:15AM -0800, Jon Callas wrote: > Really? > > Let's suppose I've completely compromised your /dev/random and I > know the bits coming out. If you pull bits out of it and put them > into any PRNG, how is that not just Bits' = F(Bits) ? Unless F is a > secret function, I just compute Bits' myself. If F is a secret > function than the security is exactly the secrecy of F. Jon
Sorry, perhaps I wasn't clear that my reference was to having additional entropy gathering code is also useful on platforms with a /dev/random, because your PRNG output is F(Bits from /dev/random || Bits from somewhere else). So I suppose in some sense this coincides with your second case, as one could view the above as F(Bits from /dev/random) where F is keyed with an input chosen from a non-uniform distribution, and certainly I concur that if you know or can easily guess both the entire output of /dev/random and the complete results of whatever ad-hoc system specific entropy gathering is available then you could in fact also guess the PRNG output. And I concur that if you know the /dev/random output then the security of the PRNG would rest entirely on the conditional entropy of the ad-hoc polling -- which is precisely my point as to why it is a useful approach, because it requires two things to fail instead of just one. Additionally there is a more plausible case than you know exactly what bits my /dev/random will produce, which is that you know something about the probability distribution of the output that distinguishes it from uniform random. In that case, even F(Bits) could be useful if you are compressing down in size (eg transforming 2*N bits of input into N bits of key material). -Jack _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
