Re: Strong PRNG with AES or 3-DES

Mok-Kong Shen (mok-kong.shen@stud.uni-muenchen.de)
Mon, 10 Aug 1998 11:18:59 +0100

• Next message: Marcus Watts: "Re: Strong PRNG with AES or 3-DES"
• Previous message: Ben Laurie: "Re: Strong PRNG with AES or 3-DES"
• In reply to: John Kelsey: "Re: Strong PRNG with AES or 3-DES"
• Next in thread: Marcus Watts: "Re: Strong PRNG with AES or 3-DES"
• Reply: Marcus Watts: "Re: Strong PRNG with AES or 3-DES"

Berke Durak wrote:

> Thanks to Bob Baldwim for his comment: after reflexion, I noticed that I
> made a dangerous mistake while using RC6 as a PRNG. I used the following ...........................

> Anyway, I'm considering using the following scheme:
>
> 1.key RC6 with a 128-bit strong seed
> 2.let A,B,C,D be the 32-bit blocks, with (A,B,C,D)
> forming the 128-bit RC6 block.
> set A,B,C,D initially to zero.
> 3.output E(A,B,C,D) for the pseudorandom stream
> 4.(A,B,C,D) <- f(A,B,C,D)
> where f is a function such that
> for all (A,B,C,D),
> card { f^i(A,B,C,D) | i in |N } = 2^128.
> 5.goto step 3
>
> The simplest f function that comes to mind is incrementation.
>
> However there is no way to access the carry/overflow CPU bits from languages
> such as C. The obvious way to increment a 128-bit register formed of 4
> 32-bit registers is by something like
>
> if (a == 0xffffffff) b++; a++;
> if (b == 0xffffffff) c++; b++; etc...
>
> of course instead of testing if a register is equal to 0xffffffff, one might
> test if it is equal to any other particular value which is more convenient,
> e.g. zero.
>
> Does someone know
> 1.A more elegant f function (for C implementation)
> or 2.A different operation mode for using a block cipher
> as a maximum-length PRNG ?

I wonder whether a method that I employed in another situation of
pseudo-random number generation could be of some use to you. It is
addition of two pseudo-random real numbers streams (in my case in [0,1))
mod 1. Since one can't determine from the result of this addition
the two participating addends, it appears barely possible for
the analyst to determine the two input streams, thus providing
security. I think that if you have two bit streams you can analogously
take 32 bit blocks and do addition mod 2^32 (which on PC is just
the ordinary integer addition, the carry-over beyond the leftmost
bit being simply ignored). For an concrete implementation using the
said method and literature reference of it see

   http://www.stud.uni-muenchen.de/~mok-kong.shen/#paper9

I should appreciate very much to know whether my above argument
concerning the security provided by addtion mod 1 is o.k.

M. K. Shen

• Next message: Marcus Watts: "Re: Strong PRNG with AES or 3-DES"
• Previous message: Ben Laurie: "Re: Strong PRNG with AES or 3-DES"
• In reply to: John Kelsey: "Re: Strong PRNG with AES or 3-DES"
• Next in thread: Marcus Watts: "Re: Strong PRNG with AES or 3-DES"
• Reply: Marcus Watts: "Re: Strong PRNG with AES or 3-DES"