[147669] in cryptography@c2.net mail archive
Re: [Cryptography] "/dev/random is not robust"
daemon@ATHENA.MIT.EDU (Ray Dillinger)
Tue Oct 15 12:49:37 2013
X-Original-To: cryptography@metzdowd.com
Date: Tue, 15 Oct 2013 00:57:06 -0700
From: Ray Dillinger <bear@sonic.net>
To: cryptography@metzdowd.com
In-Reply-To: <201310150153.r9F1rwqQ011302@new.toad.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
On 10/14/2013 06:53 PM, John Gilmore wrote:
> ... the weakness they point out seems
> to be that in some cases of new, incoming randomness with
> mis-estimated entropy, /dev/random doesn't necessarily recover over
> time from having had its entire internal state somehow compromised.
>
That was my takehome message as well. But theirs is not the first
construction to address this, nor even really the best. I recall
that Schneier's most recent PRNG recovers well from compromise too,
and I think it does so in a way that addresses the most common cases
of compromise faster than this one and the total compromise that
these authors are concerned about not much slower.
Bear
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
