[11250] in cryptography@c2.net mail archive
Re: building a true RNG
daemon@ATHENA.MIT.EDU (David Wagner)
Mon Jul 29 20:05:01 2002
From: David Wagner <daw@cs.berkeley.edu>
To: reinhold@world.std.com (Arnold G. Reinhold)
Date: Mon, 29 Jul 2002 14:55:36 -0700 (PDT)
Cc: dahonig@cox.net (David Honig),
daw@cs.berkeley.edu (David Wagner),
jsd@monmouth.com (John S. Denker),
daw@mozart.cs.berkeley.edu (David Wagner),
cryptography@wasabisystems.com, barney@tp.databus.com (Barney Wolff)
In-Reply-To: <v04210101b96b5fd6401c@[192.168.0.2]> from "Arnold G. Reinhold" at Jul 29, 2002 05:37:46 PM
> The reason for batching entropy input is to prevent someone who has
> broken your system once from discovering each small entropy input by
> exhaustive search. (There was a nice paper pointing this out in. If
> someone has the reference...)
I believe you are referring to the state compromise attacks
described in the following paper:
J. Kelsey, B. Schneier, D. Wagner, C. Hall,
"Cryptanalytic Attacks on Pseudorandom Number Generators",
FSE'98. http://www.counterpane.com/pseudorandom_number.html
I once wrote a short note about the relevance of this to IPSec:
http://www.cs.berkeley.edu/~daw/my-posts/using-prngs
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@wasabisystems.com
