On Sun, May 18, 2008 at 08:41:36AM -0700, Michael Sierchio wrote: > Thor Lancelot Simon wrote: > > >... However, consider the pathological case, > >in which an adversary manages to introduce N-1 bits of known state into > >your > >PRNG which has N bits of internal state. ... > > What you seem not to understand from this discussion is that the > internal state is a consequence of input that is processed via > a diffusion mechanism, a cryptographic hash such as SHA1 or MD5 > or something stronger. These change roughly half the bits of > their output when a single input bit is changed.
So you're comfortable with the adversary knowing, let's say, 511 of the first 512 bits fed through SHA1? Maybe I haven't been clear enough here: I specifically object to introducing easy to know information into the PRNG at startup time, though if one is going to feed it in at other times because "it can't hurt" and extra iterations of the mixing function are thought to be helpful, I can't really see why not feed in 0xFFFF every 100ms from a timer -- it'd do about as much good. Thor ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]