On Jun 18, 2012, at 11:21 52PM, ianG wrote: > > > Then there are RNGs. They start from a theoretical absurdity that we cannot > predict their output, which leads to an apparent impossibility of > black-boxing. > > NIST recently switched gears and decided to push the case for deterministic > PRNGs. According to original thinking, a perfect RNG was perfectly > untestable. Where as a perfectly deterministic RNG was also perfectly > predictable. This was a battle of two not-goods. > > Hence the second epiphany: NIST were apparently reasoning that the > testability of the deterministic PRNG was the lesser of the two evils. They > wanted to black-box the PRNG, because black-boxing was the critical > determinant of success. > > After a lot of thinking about the way the real world works, I think they have > it right. Use a deterministic PRNG, and leave the problem of securing good > seed material to the user. The latter is untestable anyway, so the right > approach is to shrink the problem and punt it up-stack. >
There's evidence, dating back to the Clipper chip days, that NSA feels the same way. Given the difficulty of proving there are no weird environmental impacts on hardware RNGs, they're quite correct. --Steve Bellovin, https://www.cs.columbia.edu/~smb _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography