[Cryptography] [RNG] on RNGs, VM state, rollback, etc.

[Jerry Leichter]

On Oct 24, 2013, at 3:50 PM, Peter Saint-Andre <stpeter at stpeter.im> wrote:
>> As long as you're at it, ask a whole bunch of hosts, close and far,
>> for 256 random bits from their own generators.  If even a single
>> one of the response slips by an attacker, he's lost.
> 
> By 'hosts' do you mean do you mean servers, or also endpoints? 
Anything you can connect to, by any means, that can transfer random bits to you.

The point of my comment is to counter the usual claim that getting anything through the network isn't helpful because your attacker may be watching everything go by on the network.  In fact, in many situations, it's extremely difficult to watch everything going by, and even if you as the attacker can, the node trying to grab data of the network may only grab some of it and it may be difficult to tell *what* it grabbed.

I'll be the first to admit that all if this is Denker's "squish":  You don't know how to predict it, but you can't prove it's unpredictable either.  I'd much rather have a vetted generator based on shot noise or something of that sort.  But if I *don't* have that, I have to do *something*.  Starting with the assumption of an omniscient attacker who has unfailing access to everything I can see or do leads to no solutions at all.  But it's also unrealistic in virtually all situations.  Attackers have some variation of a wiretap channel:  They see what you see but with more random errors, or perhaps just with *randomly different* errors.  If you can estimate the magnitude of the difference between your view and theirs, you can leverage it to move your state exponentially further away from their model of it, eventually leaving them with no useful information.
                                                        -- Jerry