> You generate a new PGP keypair and start using it. Your
> co-worker reboots your machine afterwards and recovers
> the PRNG state that happens to be stashed on disk. He
> can then backtrack and potentially recover the exact same
> random numbers that you used for your key.

        If that is possible, then Yarrow's algorithm is badly broken. It should not
be possible to run a PRNG backwards without knowing what it output. Once it
outputs something, the state information neccessary to produce that output
should be removed by the output process.

        Imagine if I have a PRNG in state 0 (which I'll call "S(0)"). It then
outputs a particular 32-bit PRN, called 'A' and is now in a new state S(1).
Now, if one tries to backtrack from S(1) to S(0), one needs to know A. For
every possible 32-bit A that could have been output, there's a different
corresponding S'(0) (state that might have been S(0)). Since the attacker
does not know A, he does not know which S'(0) corresponds to S(0), and hence
cannot backtrack.

        Since the people who developed this algorithm are pretty bright, I will
conculde that this is not the case.


To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message

Reply via email to