|
|
|
|
|
|
by ynik
629 days ago
|
|
|
> You can send half-random input in and then send more half-random input in until you’re satisfied that the RNG has gotten a suitable amount of entropy. This does not actually work. If an attacker can observe output of the CSPRNG, and knows the initial state (when it did not yet have enough entropy), then piecemeal addition of entropy allows the attacker to bruteforce what the added entropy was.
To be safe, you need to add a significant amount of entropy at once, without allowing the attacker to observe output from an intermediate state. But after you've done that, you won't ever need to add entropy again. |
|
|
GP does not suggest using the output before enough entropy had been gathered, eg see ‘until’ in:
> until you’re satisfied that the RNG has gotten a suitable amount of entropy.