Other Directory Sites: SeekWonder | Directory Owners Forum
The following archive was created by hippie-mail 7.98617-22 on Fri Aug 21 1998 - 17:20:28 ADT
bram (bram@gawth.com)
Thu, 16 Jul 1998 12:25:19 -0700 (PDT)
On Thu, 16 Jul 1998, Mike Rosing wrote:
> And I can read the source for my hardware RNG. Both can be tested the
> same way. What do you do if your PRNG fails a test once? Chuck it?
Yes.
One of the nice things about software cryptograpy is that it can be held
to that sort of standard.
> It's actually quite easy to check on a continuous basis. If it differs
> from what you expect, you can halt it and check the electronics (or in a
> cost critical situation just replace it).
For crypto applications, just because a bit stream passes basic
statistical tests doesn't mean it's at all useful for crypto purposes, and
in fact doing staistical tests on random data you intend to use can leave
you very vulnerable to side channel attacks. (although that problem can be
at least helped by only testing some of an RNG output for statistical
patterns.)
> Now don't get me wrong, PRNG are very important for crypto purposes. But
> to say they can replace hardware RNG because you don't know what the RNG
> is doing is complete fallacy with a long history of proof.
None of us are arguing against having RNG's around, just discussing what
to do with their output. Relying on the raw output of an RNG for
cryptographic purposes would be an exceedingly risky proposition.
I wonder if designing an RNG with the idea that it's output would go
through crypographic processing would be easier than designing one
normally - you could just take biases into account when figuring out how
much entropy the thing is producing, and not bend over backwards trying to
stamp them out completely.
-Bram
The following archive was created by hippie-mail 7.98617-22 on Fri Aug 21 1998 - 17:20:28 ADT