>From: John Denker <[EMAIL PROTECTED]>
>Sent: Jan 5, 2005 2:06 PM
>To: Enzo Michelangeli <[EMAIL PROTECTED]>
>Cc: cryptography@metzdowd.com
>Subject: Re: entropy depletion (was: SSL/TLS passive sniffing)

...
>You're letting your intuition about "usable randomness" run roughshod over
>the formal definition of entropy.  Taking bits out of the PRNG *does*
>reduce its entropy.  This may not (and in many applications does not)
>reduce its ability to produce useful randomness.

Right.  The critical question is whether the PRNG part gets to a secure state, 
which basically means a state the attacker can't guess in the amount of work 
he's able to do.   If the PRNG gets to a secure state before generating any 
output, then assuming the PRNG algorithm is secure, the outputs are 
indistinguishable from random.  

The discussion of how much fresh entropy is coming in is sometimes a bit 
misleading.  If you shove 64 bits of entropy in, then generate a 128-bit 
output, then shove another 64 bits of entropy in, you don't end up in a secure 
state, because an attacker can guess your first 64 bits of entropy from your 
first output.  What matters is how much entropy is shoved in between the time 
when the PRNG is in a known state, and the time when it's used to generate an 
output.  

--John Kelsey

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to