On Tue, Mar 11, 2014 at 07:13:44PM +0000, Alyssa Rowan wrote: > B. A 'running' state, which uses that key, holds it securely, and runs > a good deterministic random bit generator to generate as much > randomness as we need [up to some limit]. > > Specifically, djb advocates running A -then- run B (presumably, up to > some defined limit, as no DRBG is sound _ad infinitum_, then we'd have > to block and go back to A to gather another key?).
I'll note that an criteria for judging RNG's which is very popular
with academics who love to write papers poking (theoretical) holes
into random number generators is how quickly a RNG can recover from
state compromise.
One of the reasons why some people love RNG's such as Fortuna and
Yarrow is that it is specifically designed to recover from state
compromises --- and the scheme which djb has suggested would do poorly
on that particular metric.
Does it matter? Well, entire virtual forests of electronic trees have
been felled by people speculating on whether fast/reliable recovery
from state recovery is critically important compared to other design
considerations.
Personally, my take is that if you can compromise the state of the
RNG, you can probably far more damage, so I'm not convinced state
compromise is a very high priority threat to defend against. But
there are tons and tons of academic papers which are convinced that
any RNG which doesn't worry about this attack is Fatally Flawed.
- Ted
signature.asc
Description: Digital signature
_______________________________________________ dsfjdssdfsd mailing list [email protected] https://www.ietf.org/mailman/listinfo/dsfjdssdfsd
