entropy depletion
Steven M. Bellovin
smb at cs.columbia.edu
Tue Jan 11 10:58:03 EST 2005
Let me raise a different issue: a PRNG might be better *in practice*
because of higher assurance that it's actually working as designed at
any given time.
Hardware random number generators are subject to all sorts of
environmental issues, including stuck bits, independent oscillators
that aren't independent, contamination by power line frequency noise,
etc. By contrast, a correct implementation of a cryptographic
algorithm will always function correctly. (Yes, there could be an
undetected hardware fault. Run it three times, on different chips....)
To me, the interesting question about, say, Yarrow is not how well it
mixes in entropy, but how well it performs when there's essentially no
new entropy added. Clearly, we need something to see a PRNG, but what
are the guarantees we have against what sorts of threats if there are
never any new true-random inputs? (Remember the purported escrow key
generation algorithm for Clipper? See
http://www.eff.org/Privacy/Newin/Cypherpunks/930419.denning.protocol
for details. The algorithm was later disavowed, but I've never been
convinced that the disavowal was genuine.)
--Prof. Steven M. Bellovin, http://www.cs.columbia.edu/~smb
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list