On Fri, Dec 09, 2011 at 09:45:40AM -0500, Thor Lancelot Simon wrote: > Suffice to say I think the state of affairs is a lot better now than > it was before. And note that at least one highly-thought-of modern > design for an entropy collector (Fortuna) doesn't even _try_ to > keep an "entropy estimate" -- the whole concept is pretty fuzzy > when you start trying to count how many bits you "took out".
To extend on that: the basic idea is that as long as you started with "enough" entropy at some point and feed some form of entropy often enough, you have to break the cryptographic primitives pretty much completely to predict the output in any way. One of the fundamental design assumptions behind Fortuna is that there is no correct way to estimate entropy. People have been pretty bad about it whenever they tried. So remove the need for it. Joerg
