[Cryptography] randomness +- entropy
Arnold Reinhold
agr at me.com
Mon Nov 11 15:30:02 EST 2013
On Sun, 10 Nov 2013 11:48 Yaron Sheffer wrote:
> On 2013-11-08 23:31, Nico Williams wrote:
>> On Fri, Nov 08, 2013 at 12:23:57PM -0700, John Denker wrote:
>>>> I was only arguing that consuming n bits of PRNG output != lowering the
>>>> PRNG's "entropy" by n bits.
>>>
>>> That inequality is true and useful and well said.
>>
> My original comment was not a general statement about consuming bits
> from the PRNG. I said that consuming PRNG bits *before the PRNG is fully
> seeded* is a double problem:
>
> - The consumer gets low-quality randomness.
> - The *next* consumer's entropy is lower, because the first consumer
> might broadcast the randomness he had just received.
>
> And then Ted said that the consumer in question ("minstrel") does cause
> the entropy estimate to be decreased, so the second problem does not apply.
Per the above, it seems to me that some thought should be given about the advisability of logging instances where a PRNG is seeded before sufficient entropy is collected. It's at least conceivable that the logs will not be protected as tightly as the PRNG state (logs might be collected and sent to a compromised central server, for example), so an attacker might be able to examine the logs of many nodes on a network to find the few whose PRNGs are poorly seeded and focus his resources on breaking them.
Arnold Reinhold
More information about the cryptography
mailing list