Colm MacCárthaigh wrote: > Martin Rex <m...@sap.com> wrote: >> >> With RDRAND, you would use e.g. SHA-256 to compress 10*256 = 2560 Bits of >> a black-box CPRNG output into a 256-bit _new_ output that you >> actually use in communication protocols. > > If the relation between the RDRAND input and the output of your function is > fixed, then your attacker than just do the same thing. It doesn't help at > all really. You have to mix RDRAND with something else that is unknowable > to the attacker as part of the process.
Through the 10x compression of the RDRAND output, which will provably create an incredibly huge amount of collisions, the attacker will be unable to identify any particular output values of RDRAND. Your conceived attack could only work under the condition that 10 RDRAND consecutive outputs are always fully deterministic, and that also the seed used by RDRAND will be fully deterministic to the attacker -- or can otherwise be learned out-of-band by the attacker -- while at the same time this property will remain invisible to all external randomness tests. Can you shed any light on how you believe and attacker could meet such preconditions, because I'm not seeing the problem yet. -Martin _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
