[cryptography] Applications should be the ones [GishPuppy]

Jon Callas jon at callas.org
Fri Feb 17 15:55:20 EST 2012


On Feb 17, 2012, at 12:14 PM, Jack Lloyd wrote:

> On Fri, Feb 17, 2012 at 11:33:15AM -0800, Jon Callas wrote:
> 
>> Really?
>> 
>> Let's suppose I've completely compromised your /dev/random and I
>> know the bits coming out. If you pull bits out of it and put them
>> into any PRNG, how is that not just Bits' = F(Bits) ? Unless F is a
>> secret function, I just compute Bits' myself. If F is a secret
>> function than the security is exactly the secrecy of F.  Jon
> 
> Sorry, perhaps I wasn't clear that my reference was to having
> additional entropy gathering code is also useful on platforms with a
> /dev/random, because your PRNG output is
>  F(Bits from /dev/random || Bits from somewhere else).
> 
> So I suppose in some sense this coincides with your second case, as
> one could view the above as F(Bits from /dev/random) where F is keyed
> with an input chosen from a non-uniform distribution, and certainly I
> concur that if you know or can easily guess both the entire output of
> /dev/random and the complete results of whatever ad-hoc system
> specific entropy gathering is available then you could in fact also
> guess the PRNG output. And I concur that if you know the /dev/random
> output then the security of the PRNG would rest entirely on the
> conditional entropy of the ad-hoc polling -- which is precisely my
> point as to why it is a useful approach, because it requires two
> things to fail instead of just one.
> 
> Additionally there is a more plausible case than you know exactly what
> bits my /dev/random will produce, which is that you know something
> about the probability distribution of the output that distinguishes it
> from uniform random. In that case, even F(Bits) could be useful if you
> are compressing down in size (eg transforming 2*N bits of input into N
> bits of key material).

Okay, I get it. That is *precisely* the case where you'd want to seed a local PRNG. The local PRNG is likely a good compression function as well. 

	Jon




More information about the cryptography mailing list