Hi,
> > If feeding predictable data into a PRNG that was already well seeded with
> > unpredictable data produced a weaker PRNG, then you have found a security
> > bug
> > in the PRNG and I suggest you publish.
>
> Yeah, I've heard that a few times. However, consider the pathological case,
> in which an adversary manages to introduce N-1 bits of known state into your
> PRNG which has N bits of internal state. Are you comfortable with that?
Yes and no. No, because I don't like it, if an attacker even knows a single bit
of the internal state of the PRNG. But yes, because it simply doesn't work the
way your question makes it seem: If you "add" known bits to the state, those
do _not_ simply replace the state bits but are "mixed into it". If you have
N state bits, even if you add N^2 or 2^N or whatever bits to the state, you
still don't know any single bit of the state.
I'll give a simplified example on how this "mixing in" works, so you can
see yourself, why everybody is confident about this:
Think of "adding bits of known state" as really adding "N bit numbers"
via standard addition (ignoring the overflow bit, i.e. addition modulo 2^N).
So you have an unknown state and add a known number to it (or any number of
known numbers). You still don't know the sum, i.e. the internal state is
still perfectly safe. And vice versa, if you do know the resulting state
(or even a single bit in it), you can simply do a subtraction and get to
know the original state (or the corresponding single bit in it), i.e. if
the new state is predictable, so is the original one, i.e. you don't loose
any security.
On the other hand, if an attacker got to know some bits of the internal
state and you "add" N unknown bits into the state, the result will be
unknown again. So the worst case (all bits are known) doesn't do any harm,
while the best case (some bits are really unpredictable) is really helpful.
HTH,
Stefan
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager [EMAIL PROTECTED]
