[Cryptography] combining lots of lousy RNGs ... or not

ianG iang at iang.org
Wed Nov 23 13:16:33 EST 2016

On 22/11/2016 10:13, Phillip Hallam-Baker wrote:
> On Mon, Nov 21, 2016 at 5:53 PM, John Denker <jsd at av8n.com
> <mailto:jsd at av8n.com>> wrote:
>     Here are some useful equations:
>       random XOR squish = random
>       squish XOR squish = squish   (*not* random)
> ​No. random XOR squish = squish
> If I can interfere with squish, I can undo your random if I know it. And
> in real world systems I can often know it.
> ​A better equation is H (random + squish) = random​

If you can undo the random, then it ain't random.  It's shared.

Using the definition of "random == unpredictable to adversary".

Which is to say that we draw the security envelope around the RNG such 
that if that security envelope is breached, then all bets are off - 
attacker owns the entire machine, and won't bother with the RNG, will 
just instruct you which knife you are to use in your upcoming 


More information about the cryptography mailing list