On Wed, Aug 05, 2020 at 04:49:41AM +0200, Willy Tarreau wrote: > > Not only was this obviously not the goal, but I'd be particularly > interested in seeing this reality demonstrated, considering that > the whole 128 bits of fast_pool together count as a single bit of > entropy, and that as such, even if you were able to figure the > value of the 32 bits leaked to net_rand_state, you'd still have to > guess the 96 other bits for each single entropy bit :-/ Not only that, you'd have to figure out which 32-bits in the fast_pool actually had gotten leaked to the net_rand_state. I agree with Willy that I'd love to see an exploit since it would probably give a lot of insights. Maybe at a Crypto rump session once it's safe to have those sorts of things again. :-) That being said, it certainly is a certificational / theoretical weakness, and if the bright boys and girls at Fort Meade did figure out a way to exploit this, they are very much unlikely to share it at an open Crypto conference. So replacing LFSR-based PRnG with something stronger which didn't release any bits from the fast_pool would certainly be desireable, and I look forward to seeing what Willy has in mind. Cheers, - Ted
