

Entropy Attacks - sdevlin
http://blog.cr.yp.to/20140205-entropy.html

======
fafner
If the attacker can control the microcode of the CPU (RDRAND example) then
couldn't she just modify the whole key generation routine anyway? I'm not
saying that DJB's concerns are wrong. But to me it seems that the worst case
example would mean a total compromise.

(I like the name of the IETF's randomness mailinglist dsfjdssdfsd
[https://www.ietf.org/mailman/listinfo/dsfjdssdfsd](https://www.ietf.org/mailman/listinfo/dsfjdssdfsd))

edit: I think I understand. The attack DJB proposes would be almost impossible
to detect unlike changing results completely. Although the latter is probably
undetectable in practice IMO.

