Re: [dsfjdssdfsd] Discussion: Malicious Entropy Attacks: Eggs, and Baskets

Theodore Ts'o <> Tue, 11 March 2014 19:54 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 2DE131A07CB for <>; Tue, 11 Mar 2014 12:54:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.338
X-Spam-Status: No, score=-2.338 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, RP_MATCHES_RCVD=-0.547, SPF_PASS=-0.001, T_DKIM_INVALID=0.01] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id KXVvyjGXMT88 for <>; Tue, 11 Mar 2014 12:54:50 -0700 (PDT)
Received: from ( [IPv6:2600:3c02::f03c:91ff:fe96:be03]) by (Postfix) with ESMTP id 6E8551A07C1 for <>; Tue, 11 Mar 2014 12:54:50 -0700 (PDT)
Received: from root ( by with local-esmtp (Exim 4.80) (envelope-from <>) id 1WNSl9-0001VZ-SG; Tue, 11 Mar 2014 19:54:43 +0000
Received: by (Postfix, from userid 15806) id 3F8985812DE; Tue, 11 Mar 2014 15:54:43 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;; s=mail; t=1394567683; bh=XHeTCLh1SA1pm1P0ql90sjNCC47wGXoKCZc4xvd7SLY=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=1SCxfAbJbeNgK6g3FoIBJr5S+1MJ2CYs727UQ9OX+Tvl87uBaP+bRl6mkQ35tvmKR J34qsQJD5o2w4hIHV9SDInAmnzjmDyGTiJRHCB0oJAafxskbhnhdqe3buYXD+MKun8 uN+GZFvBEz0Y1h1qNJovJO9v5QLFiLlaLJAY+omo=
Date: Tue, 11 Mar 2014 15:54:43 -0400
From: Theodore Ts'o <>
To: Alyssa Rowan <>
Message-ID: <>
References: <>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="HlL+5n6rz5pIUxbD"
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.5.21 (2010-09-15)
X-SA-Exim-Connect-IP: <locally generated>
X-SA-Exim-Scanned: No (on; SAEximRunCond expanded to false
Subject: Re: [dsfjdssdfsd] Discussion: Malicious Entropy Attacks: Eggs, and Baskets
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "The dsfjdssdfsd list provides a venue for discussion of randomness in IETF protocols, for example related to updating RFC 4086." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 11 Mar 2014 19:54:52 -0000

On Tue, Mar 11, 2014 at 07:13:44PM +0000, Alyssa Rowan wrote:
> B. A 'running' state, which uses that key, holds it securely, and runs
>    a good deterministic random bit generator to generate as much
>    randomness as we need [up to some limit].
> Specifically, djb advocates running A -then- run B (presumably, up to
> some defined limit, as no DRBG is sound _ad infinitum_, then we'd have
> to block and go back to A to gather another key?).

I'll note that an criteria for judging RNG's which is very popular
with academics who love to write papers poking (theoretical) holes
into random number generators is how quickly a RNG can recover from
state compromise.

One of the reasons why some people love RNG's such as Fortuna and
Yarrow is that it is specifically designed to recover from state
compromises --- and the scheme which djb has suggested would do poorly
on that particular metric.

Does it matter?  Well, entire virtual forests of electronic trees have
been felled by people speculating on whether fast/reliable recovery
from state recovery is critically important compared to other design

Personally, my take is that if you can compromise the state of the
RNG, you can probably far more damage, so I'm not convinced state
compromise is a very high priority threat to defend against.  But
there are tons and tons of academic papers which are convinced that
any RNG which doesn't worry about this attack is Fatally Flawed.

    	      	      	    	       	      - Ted