[Cryptography] combining lots of lousy RNGs ... or not
ianG
iang at iang.org
Wed Nov 23 13:16:33 EST 2016
On 22/11/2016 10:13, Phillip Hallam-Baker wrote:
> On Mon, Nov 21, 2016 at 5:53 PM, John Denker <jsd at av8n.com
> <mailto:jsd at av8n.com>> wrote:
>
>
> Here are some useful equations:
> random XOR squish = random
> squish XOR squish = squish (*not* random)
>
>
> No. random XOR squish = squish
>
> If I can interfere with squish, I can undo your random if I know it. And
> in real world systems I can often know it.
>
> A better equation is H (random + squish) = random
If you can undo the random, then it ain't random. It's shared.
Using the definition of "random == unpredictable to adversary".
Which is to say that we draw the security envelope around the RNG such
that if that security envelope is breached, then all bets are off -
attacker owns the entire machine, and won't bother with the RNG, will
just instruct you which knife you are to use in your upcoming
self-sacrifice.
iang
More information about the cryptography
mailing list