Re: [dsfjdssdfsd] Discussion: Malicious Entropy Attacks: Eggs, and Baskets

=JeffH <> Tue, 11 March 2014 22:19 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 72EEE1A0868 for <>; Tue, 11 Mar 2014 15:19:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.231
X-Spam-Status: No, score=-1.231 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_SORBS_WEB=0.77, SPF_PASS=-0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id c4lBhIXUYrno for <>; Tue, 11 Mar 2014 15:19:30 -0700 (PDT)
Received: from ( []) by (Postfix) with SMTP id 349251A0848 for <>; Tue, 11 Mar 2014 15:19:30 -0700 (PDT)
Received: (qmail 31663 invoked by uid 0); 11 Mar 2014 22:19:23 -0000
Received: from unknown (HELO ( by with SMTP; 11 Mar 2014 22:19:23 -0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;; s=default; h=Content-Transfer-Encoding:Content-Type:Subject:To:MIME-Version:From:Date:Message-ID; bh=MeWijcxpyLMqhtdtQStumvo1BwKn/qnTwMVSuE9scBs=; b=cPCcPWImm7uZRxLhWVsVY14GUiGRm87Kuo9JaaWZX5/K5E6K4hyID5nTO3M0Ui0nbXbQs2Ybzi4IN5pgl3GiW+tVuxxWqstDVBy33hrly9m4iBm/fsk8eYgg5qAPvesj;
Received: from [] (port=30230 helo=[]) by with esmtpsa (TLSv1:CAMELLIA256-SHA:256) (Exim 4.80) (envelope-from <>) id 1WNV19-0001sP-EW for; Tue, 11 Mar 2014 16:19:23 -0600
Message-ID: <>
Date: Tue, 11 Mar 2014 15:19:36 -0700
From: =JeffH <>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130330 Thunderbird/17.0.5
MIME-Version: 1.0
To: IETF Pseudorandom Number Generator PRNG discussion list <>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: quoted-printable
X-Identified-User: {} {sentby:smtp auth authed with}
Subject: Re: [dsfjdssdfsd] Discussion: Malicious Entropy Attacks: Eggs, and Baskets
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "The dsfjdssdfsd list provides a venue for discussion of randomness in IETF protocols, for example related to updating RFC 4086." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 11 Mar 2014 22:19:31 -0000

 > Ted noted..
 > I'll note that an criteria for judging RNG's which is very popular
 > with academics who love to write papers poking (theoretical) holes
 > into random number generators is how quickly a RNG can recover from
 > state compromise.
 > ...
 > Personally, my take is that if you can compromise the state of the
 > RNG, you can probably far more damage, so I'm not convinced state
 > compromise is a very high priority threat to defend against.  But
 > there are tons and tons of academic papers which are convinced that
 > any RNG which doesn't worry about this attack is Fatally Flawed.

a recent paper that is perhaps an instance of the above class(es) of papers 
(but may be of interest in any case) is...

Dodis, Yevgeniy, Adi Shamir, Noah Stephens-Davidowitz, and Daniel Wichs. 
"How to Eat Your Entropy and Have it Too—Optimal Recovery Strategies for 
Compromised RNGs."