[Cryptography] "/dev/random is not robust"

Ray Dillinger bear at sonic.net
Tue Oct 15 03:57:06 EDT 2013


On 10/14/2013 06:53 PM, John Gilmore wrote:
> ... the weakness they point out seems
> to be that in some cases of new, incoming randomness with
> mis-estimated entropy, /dev/random doesn't necessarily recover over
> time from having had its entire internal state somehow compromised.
> 

That was my takehome message as well.  But theirs is not the first
construction to address this, nor even really the best.  I recall
that Schneier's most recent PRNG recovers well from compromise too,
and I think it does so in a way that addresses the most common cases
of compromise faster than this one and the total compromise that
these authors are concerned about not much slower.

				Bear



More information about the cryptography mailing list