----- Original Message -----
From: <[EMAIL PROTECTED]>
> Joseph Ashwood
> > Because with a pRNG we can sometimes prove very important
> > things, while with a RNG we can prove very little (we can't even
> > prove that entropy actually exists, let alone that we can
> > collect it).
>
> Don't be silly. Of course we know that entropy exists, and we can
> collect it.
>
> If a RNG runs off Johnson noise, then the ability to predict its
> output would imply the ability to violate the second law of
> thermodynamics. If it runs off shot noise, then the ability to
> predict its output would disprove quantum mechanics.
Actually there are models that fit the universe that are entirely
deterministic. Admittedly the current line of thinking is that entropy
exists, but there we still have not proven that it must exist.
> James A. Donald:
> > > And if one is implementing a PRNG in software, it is trivial
> > > to have lots of internal state (asymptotically approaching
> > > one-time pad properties).
>
> Joseph Ashwood
> > The problem is not having that much internal state, but what do
> > you do with it? Currently the best options on that front involve
> > using block ciphers in various modes, but this has a rather
> > small state,
>
> RC4 has 1684 bits of state, which should prove sufficient to
> defeat guessing.
And RC4 is far from a good RNG of any type, it's distinguishable from random
fairly easily, and unless it's used very carefully it's weak. If one were to
try to guess all 1684 bits it would be exceedingly difficult, but to start
with, it's only a permutation so the space is much smaller, in addition the
state itself has more attacks available against it. Like I said, the "best
options" come from block ciphers.
Joe
