[148108] in cryptography@c2.net mail archive
Re: [Cryptography] randomness +- entropy
daemon@ATHENA.MIT.EDU (Arnold Reinhold)
Mon Nov 11 17:38:42 2013
X-Original-To: cryptography@metzdowd.com
From: Arnold Reinhold <agr@me.com>
Date: Mon, 11 Nov 2013 15:30:02 -0500
To: Yaron Sheffer <yaronf.ietf@gmail.com>
Cc: Theodore Ts'o <tytso@mit.edu>, Cryptography <cryptography@metzdowd.com>,
RNG mlist <rng@lists.bitrot.info>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
On Sun, 10 Nov 2013 11:48 Yaron Sheffer wrote:
> On 2013-11-08 23:31, Nico Williams wrote:
>> On Fri, Nov 08, 2013 at 12:23:57PM -0700, John Denker wrote:
>>>> I was only arguing that consuming n bits of PRNG output != lowering the
>>>> PRNG's "entropy" by n bits.
>>>
>>> That inequality is true and useful and well said.
>>
> My original comment was not a general statement about consuming bits
> from the PRNG. I said that consuming PRNG bits *before the PRNG is fully
> seeded* is a double problem:
>
> - The consumer gets low-quality randomness.
> - The *next* consumer's entropy is lower, because the first consumer
> might broadcast the randomness he had just received.
>
> And then Ted said that the consumer in question ("minstrel") does cause
> the entropy estimate to be decreased, so the second problem does not apply.
Per the above, it seems to me that some thought should be given about the advisability of logging instances where a PRNG is seeded before sufficient entropy is collected. It's at least conceivable that the logs will not be protected as tightly as the PRNG state (logs might be collected and sent to a compromised central server, for example), so an attacker might be able to examine the logs of many nodes on a network to find the few whose PRNGs are poorly seeded and focus his resources on breaking them.
Arnold Reinhold
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
