Cooperating networked CSPRNGs
- From: Mike Amling <nospam@xxxxxxxxxx>
- Date: 04 Sep 2006 21:05:37 EDT
It occurred to me that several cooperating networked CSPRNGs could derive entropy from messages received from each other. For instance, Alice, Bob and Mallory each set up a Fortuna instance. Each of them then at suitable intervals executes the following protocol as Sender with another participant as Responder.
1. Sender makes up an ephemeral DH keypair.
2. Sender sends the public key to Responder.
3. Sender receives the Responder's public key.
4. Sender calculate the shared secret.
5. Sender treats the result of 4 like any other source of entropy.
To prevent step 3 from waiting forever, participants also execute the Responder's role when an unsolicited public key arrives:
A. Responder uses its own PRNG to make up an ephemeral keypair.
B. Responder sends that fresh public key to the Sender of the unsolicited public key.
C. Responder calculates the shared secret and treats it as an entropy source.
The protocol allows a participant to bring up its entropy closer to its partner's when the partner has more. Against adversaries who are not monitoring the network, this can take the participant's state from being guessable to being unguessable. An adversary who can guess a participant's state and can see the partner's public key can calculate the shared secret.
An adversary trying to guess a participant's state can use the participant's ephemeral public key to confirm the guess, but that's true for any output from the CSPRNG.
Does anyone see any drawbacks that I have missed?
--Mike Amling
.
- Prev by Date: Re: Crypto web-site
- Next by Date: Safely proving device identity?
- Previous by thread: Crypto web-site
- Next by thread: Safely proving device identity?
- Index(es):
Relevant Pages
|
