[Cryptography] What's a Plausible Attack On Random Number Generation?

[ianG]

On 1/11/13 08:20 AM, Nico Williams wrote:
> I've asked this before and maybe we can make it very short and sweet:
>
>     How hard is an attacker fitting your threat model[*] willing to work
>     to attack you via your RNG?
>
>     [*] The person answering this question gets to pick their threat model.


Good point.  The only RNG attack I can think of off-hand for which we 
have reasonable evidence is the Android Bitcoin theft [0].  Very recent. 
  Any others?

It would seem that attacking the RNG is rather esoteric.

We don't even have evidence that the NSA has ever used their Dual_EC 
pre-positioned attack vector, assuming we all agree that they did that. 
  What we have is supposition that if this is an attack, it's plausibly 
convenient for them, 32 bytes being enough:


> Considering Dual_EC, assuming it's an attack on the wider community (as
> opposed to a secret self-key escrow that happens to also escrow other
> Dual_EC users' keys)...  the answer appears to be: not too hard.  This
> particular attacker, well-funded and all, apparently wanted to have to
> see just 32 bytes of RNG output to be able to recover its state with
> little effort.
>
> That's NOT evidence that no attacker is willing to work much harder than
> that to attack you via your RNG.  But it's suggestive.


iang


[0] for me, I always exclude demos, academic papers, etc.  Attacks must 
be done by bad guys, coz that is the only way we know what the economics 
of the attack are.  And attacks must succeed, they must steal money or 
something.