On 12/22/2010 11:44 AM, Kjell Wooding wrote:
Can you please stop wasting time asking questions before you bother to read
about what you are asking?
Consider the possibility that I have, in fact, read a little bit about
it and am asking some of these questions because I suspect you don't
actually have a good answer for them. People who are deeply convinced of
their correctness usually aren't able to reflect on it objectively.
On Wed, Dec 22, 2010 at 10:00 AM, Marsh Ray<[email protected]>wrote:
How is this different, except for perhaps the intermediate arc4 cipher.
What does that add, other than crappiness? (RC4 is known to be
distinguishable from a good random source.)
Oh good grief. Yes, ARC4 is being used to stretch a random source. Feel free
to hunt for the distinguisher in the OpenBSD multi-consumer model.
This one does it in 2^26 bytes:
http://www.iacr.org/cryptodb/data/paper.php?pubkey=2597
Let's see, (libc)arc4random.c says:
> arc4_count = 1600000;
That's about 2^20 so you'd get 41 reseedings generating that much input
data. But how much would these reseedings disrupt the statistics process?
This distinguisher works by looking at the probability of pairs of bytes
being repeated (2 to 5 times) within a certain number of rounds (having
a gap 'g' between them). Fig 3 shows their results for gaps from 0 to
60. It looks like the data collection cost incurred by a reseeding would
comparable to the amount recommended to skip after initialization: 256
bytes.
So the current reseeding regimen on libc's arc4random probably requires
this distinguisher to consume something like 0.02% more data to reach
the same success rate.
There's a
good paper in there. If you can show a distinguisher (even without
reseedings) with an equivalent number of consumers randomly pulling data
from the stream, then you might be able to tell us how long we should go
between reseeding.
Don't take my word for it. RC4 doesn't even meet the minimum standards
for the payment card industry (PCI).
I would be (very?) surprised if you have time to see a bias under the
current model (multi-consumer, rapid reseeding), though that doesn't mean it
isn't possible.
They wouldn't let you encrypt a MasterCard number with it, why would you
use it for nonce and key generation on a supposedly "strong
crypto"-oriented OS?
The problem is you are asking boneheaded questions without
taking the time to understand what you are asking about. You are all noise,
and no signal.
Was that an example of a boneheaded question?
- Marsh
