[Cryptography] randomness for libraries, e.g. OpenSSL
Ray Dillinger
bear at sonic.net
Wed Nov 30 13:57:37 EST 2016
On 11/30/2016 04:18 AM, Jerry Leichter wrote:
>>>>
>>>>> As a corollary: We need to to inveigle the OS providers and
>>>>> hardware providers to solve the problem.
>>>> That. Rather than spending energy on solving the problem in code, which is a really hard objective because of many factors, some of which are listed below, put the energy into Inveiglement....
>>> Ahem. Intel went and provided the hardware. And if you read the messages here ... you shouldn't trust it.
>>
>> Well. My advice was to trust it about five bits, on the assumption that
>> Intel was both allowed and motivated to act in good faith, and didn't
>> get sabotaged when it tried to do so.
> Why five bits? What kind of attack leaves you with 5 bits of randomness, but no more?
>
5 bits is my worst-case estimate that the compromise exists but requires
at least a work factor of 32 to exploit. IOW, that an attacker with
inside knowledge still has to try at least 32 possibilities based on
some visible output before your stream is pwned. One could also say, I
am confident of the community's ability to spot any correlation in a
single source that would require a work factor of less than 32, and
confident that nobody designing such a compromise would choose one with
a smaller work factor on the grounds that it would be immediately noticed.
Your own estimate, of a couple hundred billion starting points for the
sequence, was much more generous.
Bear
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20161130/6b5904af/attachment.sig>
More information about the cryptography
mailing list