building a true RNG

David Wagner daw at cs.berkeley.edu
Mon Jul 29 17:55:36 EDT 2002


> The reason for batching entropy input is to prevent someone who has 
> broken your system once from discovering each small entropy input by 
> exhaustive search.  (There was a nice paper pointing this out in. If 
> someone has the reference...)

I believe you are referring to the state compromise attacks
described in the following paper:
  J. Kelsey, B. Schneier, D. Wagner, C. Hall,
  "Cryptanalytic Attacks on Pseudorandom Number Generators",
  FSE'98.  http://www.counterpane.com/pseudorandom_number.html
I once wrote a short note about the relevance of this to IPSec:
  http://www.cs.berkeley.edu/~daw/my-posts/using-prngs

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com



More information about the cryptography mailing list