On Tue, 8 Aug 2000, Theodore Y. Ts'o wrote:
> > even if you do use a PRNG to select whether or not a particular entropy
> > is sampled, that decision only contributes one bit of entropy into the
> > pool.....
>
> One bit ? I was assuming you always put in in the time difference
> between interrupts, which is surely a lot more than one bit (when it
> is there or not) Alternatively you could just run a Stream cipher
> over the input, but I guess that requires too much trust for the
> outgoing hash (just like the prng)
>
>
> The "one extra bit of entropy" is the question of "do we mix this input
> into the stream or not?" If the adversary knows the input (by watching
> the ethernet, for example, so he can figure out when the ethernet
> interrupts will be) with 100% accuracy, the choice of whether or not to
> include the interrupt adds one bit of uncertainty ("yes or no") which is
> taken from the PRNG.
I think there's something wrong with this analysis. That bit isn't
appearing out of thin air, it's coming out of the pool. If the attacker
knew all the inputs to the pool, he'd know that bit as well. So this is
zero new bits. Otherwise, we could recursively generate arbitrary amounts
of entropy by calling the PRNG!
-- "Love the dolphins," she advised him. "Write by W.A.S.T.E.."- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Tue Aug 15 2000 - 21:00:18 EST