[cryptography] Duplicate primes in lots of RSA moduli
thierry.moreau at connotech.com
Fri Feb 17 14:32:33 EST 2012
D. J. Bernstein wrote:
> There are of course more defenses that one can add to provide resilience
> against more severe randomness deficiencies: one can start with more
> random bits and hash them down to 256 bits; use repeated RDTSC calls as
> auxiliary randomness input; etc. These details have essentially nothing
> to do with the choice of cryptographic primitive, and the whole point of
> /dev/urandom is to centralize these details and get them right rather
> than having everybody reimplement them badly. It would be interesting to
> understand how /dev/urandom failed for the repeated RSA primes---I'm
> presuming here that /dev/urandom was in fact the main culprit.
Isn't /dev/urandom BY DEFINITION of limited true entropy? True entropy
collection may take time (and is inescapably based on environmental
assumptions) while /dev/urandom is defined as non-blocking. No matter
the theoretical properties of the (deterministic) PRNG component of
/dev/urandom, they can not expand *true* entropy.
And this is so, no matter the amount of details you delegate to reputed
security software developers.
- Thierry Moreau
CONNOTECH Experts-conseils inc.
9130 Place de Montgolfier
Montreal, QC, Canada H2M 2A1
More information about the cryptography