On 21 Apr 2002 at 10:00, Major Variola (ret) wrote: > At 11:22 AM 4/21/02 +0200, Eugen Leitl wrote: > > >I disagree here somewhat. Cryptography ttbomk doesn't have means of > >construction of provably strong PRNGs, especially scalable ones, and > with > >lots of internal state (asymptotically approaching one-time pad > >properties), and those which can be mapped to silicon real estate > >efficiently both in time (few gate delays, >GBps data rates) and in > space > >(the silicon real estate consumed for each bit of PRNG state). > > What is a "provably strong" PRNG? Strong against what? > If I'm supposed to know this, and have forgotten it, a > pointer will suffice. I know what the attacks are for a crypto-strong > plain-ole-analog-based-RNG. > > Its quite easy to generate apparently-random (ie, PRNGs) from > block ciphers being fed, say, integers, or their own output, etc. > These can be made small and fast in hardware. Large families of > these can be constructed e.g. by varying bits e.g., in Blowfish's > S-tables, etc. > > Yes. If you know what PRNG somebody is using and you know the seed you know the output. Seems to me the best a PRNG could hope to get is a situation where, looking at a long stream of output, there's no way of predicting the future output that's more efficient than guessing the initial seed. I don't think achieving that is all that hard in practice.
George