>===== Original Message From David Honig <[EMAIL PROTECTED]> =====
[...]
>Admittedly it may sound religious to claim that physical entropy
>matters, when no one can tell the difference between true random & prng
>bits (without the prng 'key'). But a prng *is* crackable
>if you infer the internal state. Yes, this should be
>infeasable. But the crypto-uses require fully unguessable
>bits. Otherwise you could use a one-time-seeded prng and turn
>the crank without bothering to reseed.
As I see it, the purpose of the true random seeding is not to "refill a
depleted entropy pool", but to make it hard to bruteforce the PRNG so
revealing its internal state. For example, if we knew that the PRNG always
starts with one of four possible configurations (a two-bit seed, as far as
entropy is concerned) we could try to run a copy of the generator four times;
once we detect a match with the output of the black box under attack, we know
the state of the latter and we may predict its future completely. If, on the
other hand, we start with a 128-bit random seed, the bruteforcing requires
2^126 attempts, becoming unfeasible.
However, this does not mean that we may extract from the box only 128 bits of
securely unpredictable data (or an amount proportional to it). In fact, the
number of bits we extract does not affect at all the predictability of the
future bits, as long as the PRNG use a good one-way function. And if it
doesn't, keeping stirring randomicity won't help much: the attacker won't try
to bruteforce the generator (which is what the random seed really helps to
prevent) but will break a weaker link backstepping the PRNG.
Cheers --
Enzo
