[Cryptography] Random numbers only once

Krisztián Pintér pinterkr at gmail.com
Wed Feb 5 15:20:18 EST 2014

Watson Ladd (at Tuesday, February 4, 2014, 6:12:55 AM):
> As DJB pointed out on another listhost, one only needs 256 random bits
> once, and can then use a PRF to generate an indefinite number forever.

apparently, he says much more than that. today on his brand new blog:



he argues that if we have a malicious source of entropy, and it can
access the other sources' raw data, it can manipulate the output of
the rng, and thus influence generated keys and nonces to some
(admittadly small) degree.

two dangers:

1, some schemes rely on perfect random nonces. cooked nonce is a

2, it can use randomness to communicate information to the outside
world. a driver or the CPU might have hard time phoning home. putting
bits in public keys and public nonces might open a channel.

More information about the cryptography mailing list