On 12/22/2010 01:42 PM, Ted Unangst wrote:
quoted text
>>
>> This distinguisher works by looking at the probability of pairs of bytes
>> being repeated (2 to 5 times) within a certain number of rounds (having a
>> gap 'g' between them). Fig 3 shows their results for gaps from 0 to 60. It
>> looks like the data collection cost incurred by a reseeding would
> comparable
>> to the amount recommended to skip after initialization: 256 bytes.
>
> I'm not sure how you arrived at this result.  The new stream is
> unrelated to the old one.  Otherwise, why not just treat all RC4
> streams as the same?

Yes, they very nearly are. To a man with a memory of 30 minutes or so, 
every new year is unrelated to the old one. To a statistical test that 
only looks back on the last 30 bytes or so of history for a 
low-probability event, something that changes every few MB won't affect it.

This distinguisher works on samples of any four bytes of output from any 
RC4 stream regardless of keying. (But it needs less data if you're give 
it slightly longer sequences.) Which is the key property of an RNG: 
every output value is the same until you look at it.

Which is why I'm wondering what exactly, this 'multi-consumer' design 
feature is all about. Is it simply that more userland stuff is pinging 
the kernel at unpredictable times resulting in more timestamps feeding 
into the central entropy pool? It seems like you could accomplish that 
with any syscall. Or is there some other effect being claimed?

- Marsh