On Sun, 10 Nov 2013 11:48 Yaron Sheffer wrote:
> On 2013-11-08 23:31, Nico Williams wrote:
>> On Fri, Nov 08, 2013 at 12:23:57PM -0700, John Denker wrote:
>>>> I was only arguing that consuming n bits of PRNG output != lowering the
>>>> PRNG's "entropy" by n bits.
>>>
>>> That inequality is true and useful and well said.
>>
> My original comment was not a general statement about consuming bits
> from the PRNG. I said that consuming PRNG bits *before the PRNG is fully
> seeded* is a double problem:
>
> - The consumer gets low-quality randomness.
> - The *next* consumer's entropy is lower, because the first consumer
> might broadcast the randomness he had just received.
>
> And then Ted said that the consumer in question ("minstrel") does cause
> the entropy estimate to be decreased, so the second problem does not apply.
Per the above, it seems to me that some thought should be given about the
advisability of logging instances where a PRNG is seeded before sufficient
entropy is collected. It's at least conceivable that the logs will not be
protected as tightly as the PRNG state (logs might be collected and sent to a
compromised central server, for example), so an attacker might be able to
examine the logs of many nodes on a network to find the few whose PRNGs are
poorly seeded and focus his resources on breaking them.
Arnold Reinhold
_______________________________________________
RNG mailing list
[email protected]
http://lists.bitrot.info/mailman/listinfo/rng
