building a true RNG
David Wagner
daw at cs.berkeley.edu
Mon Jul 29 17:55:36 EDT 2002
> The reason for batching entropy input is to prevent someone who has
> broken your system once from discovering each small entropy input by
> exhaustive search. (There was a nice paper pointing this out in. If
> someone has the reference...)
I believe you are referring to the state compromise attacks
described in the following paper:
J. Kelsey, B. Schneier, D. Wagner, C. Hall,
"Cryptanalytic Attacks on Pseudorandom Number Generators",
FSE'98. http://www.counterpane.com/pseudorandom_number.html
I once wrote a short note about the relevance of this to IPSec:
http://www.cs.berkeley.edu/~daw/my-posts/using-prngs
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list