On 12/22/2010 01:42 PM, Ted Unangst wrote:
This distinguisher works by looking at the probability of pairs of bytes
being repeated (2 to 5 times) within a certain number of rounds (having a
gap 'g' between them). Fig 3 shows their results for gaps from 0 to 60. It
looks like the data collection cost incurred by a reseeding would
comparable
to the amount recommended to skip after initialization: 256 bytes.
I'm not sure how you arrived at this result. The new stream is
unrelated to the old one. Otherwise, why not just treat all RC4
streams as the same?
Yes, they very nearly are. To a man with a memory of 30 minutes or so,
every new year is unrelated to the old one. To a statistical test that
only looks back on the last 30 bytes or so of history for a
low-probability event, something that changes every few MB won't affect it.
This distinguisher works on samples of any four bytes of output from any
RC4 stream regardless of keying. (But it needs less data if you're give
it slightly longer sequences.) Which is the key property of an RNG:
every output value is the same until you look at it.
Which is why I'm wondering what exactly, this 'multi-consumer' design
feature is all about. Is it simply that more userland stuff is pinging
the kernel at unpredictable times resulting in more timestamps feeding
into the central entropy pool? It seems like you could accomplish that
with any syscall. Or is there some other effect being claimed?
- Marsh
