entropy depletion

[John Kelsey]

>From: William Allen Simpson <wsimpson at greendragon.com>
>Sent: Jan 11, 2005 1:48 PM
>To: cryptography at metzdowd.com
>Subject: Re: entropy depletion

>Ben Laurie wrote:
>> Surely observation of /dev/urandom's output also gives away information?
>>
>ummm, no, not by definition.

>/dev/random
> blocks on insufficient estimate of stored entropy
>  useful for indirect measurement of system characteristics
>  (assumes no PRNG)

>/dev/urandom
>  blocks only when insufficient entropy for initialization of state
>  computationally infeasible to determine underlying state
>  (assumes robust PRNG)

So, the big issue here is that  we're counting on a cryptographic algorithm to both provide full entropy outputs and to mask the different outputs from one another.  There's no guarantee that it can do either.  That is, even if another 160 bits of entropy have been put into the pool, there's no guarantee that there will be no relationship between the next 80 bit output and the last one.  That depends on your beliefs about SHA1, and about unproven properties of it. 
(It's been a long time since I've looked at the algorithm used by /dev/random, but I think there are some narrow pipe issues there which might limit the total entropy that can affect a sequence of outputs from a sequence of inputs.)  

>William Allen Simpson

--John Kelsey

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com