Re: Replace /dev/random input mix polynomial with Brent's xorgen?

[Theodore Ts'o]

On Mon, Dec 16, 2013 at 01:43:59AM -0500, Theodore Ts'o wrote:
> I understand that; and as I wrote in my last e-mail, I think that is a
> substantially harder attack than the currently published cache timing
> attacks, which are known plaintext attacks --- that is the attacker
> doesn't know the key, but can choose the plaintext, and view the
> resulting ciphertext.

s/known plaintext attacks/chosen plaintext attacks/

> 
> In this case, the attacker doen't know the key *and* the plaintext; it
> can view its own attempt to read from /dev/random, but from that, it
> needs to be able to figure out the the key and the plaintext (i.e.,
> the entropy pool) in order to be able to predict someone else's output
> of /dev/random.
> 
> If you think this is easier than the currently published cache timing
> attacks, please provide details why you think this is the case,
> preferably in the form of a demonstration....
> 
> 						- Ted
> 
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/