Date: Wed, 9 Aug 2000 11:43:23 -0500 (CDT)
From: Oliver Xymoron <oxymoron@waste.org>
> The "one extra bit of entropy" is the question of "do we mix this input
> into the stream or not?" If the adversary knows the input (by watching
> the ethernet, for example, so he can figure out when the ethernet
> interrupts will be) with 100% accuracy, the choice of whether or not to
> include the interrupt adds one bit of uncertainty ("yes or no") which is
> taken from the PRNG.
I think there's something wrong with this analysis. That bit isn't
appearing out of thin air, it's coming out of the pool. If the attacker
knew all the inputs to the pool, he'd know that bit as well. So this is
zero new bits. Otherwise, we could recursively generate arbitrary amounts
of entropy by calling the PRNG!
I believe Andi was positing the existence of a separate PRNG, and my
point was that if you are afraid the adversary knows the interrupt
stream timing perfectly, the only additional "entropy" which is added
comes from the PRNG. Of course, the PRNG can be at most
cryptographically strong, which means that it's not really contributing
any entropy..... which was my point.
- Ted
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Tue Aug 15 2000 - 21:00:18 EST