Wolfgang Rupprecht <wolfgang@wsrcc.com> writes:
> I agree.  That wasn't the suggestion though.  My initial msg mentioned
> (perhaps too briefly) running the crypto unit in "chained feedback
> mode".  That is, the current output is a function of the current input
> and the last output.  The set of covered output states is as large as
> 2^(cipher-block-size).

That is to some extent what we already do. The output state of the
CPRNG is a function of the existing internal1 states and new entropy
that gets mixed in. The problem is what might happen in the case of
adaptive attacks. Again, it is a lot of chained "ifs" but I prefer not
to have the possibility around. Call it a robustness principle.

--
Perry E. Metzger		perry@wasabisystems.com
--
NetBSD Development, Support & CDs. http://www.wasabisystems.com/