On Fri, May 16, 2008 at 11:24:45AM -0400, Geoff Thorpe wrote: > On Friday 16 May 2008 00:47:52 Thor Lancelot Simon wrote: > > On Thu, May 15, 2008 at 11:45:14PM +0200, Bodo Moeller wrote: > > > It may be zero, but it may be more, depending on what happened earlier > > > in the program if the same memory locations have been in use before. > > > This may very well include data that would be unpredictable to > > > adversaries -- i.e., entropy; that's the point here. > > > > Unfortunately, it may also very well include data that would be > > highly predictable to adversaries. > > If feeding predictable data into a PRNG that was already well seeded with > unpredictable data produced a weaker PRNG, then you have found a security bug > in the PRNG and I suggest you publish.
Yeah, I've heard that a few times. However, consider the pathological case, in which an adversary manages to introduce N-1 bits of known state into your PRNG which has N bits of internal state. Are you comfortable with that? For what value M are you comfortable with N - M bits of the state having been introduced by the adversary? Why? It seems to me that best practice is to not introduce such state if one can avoid it, whether one counts it into an entropy estimate or not. Thor ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
