[EMAIL PROTECTED] wrote: > > On 21 Apr 2002 at 10:00, Major Variola (ret) wrote: > > > At 11:22 AM 4/21/02 +0200, Eugen Leitl wrote: > > > > >I disagree here somewhat. Cryptography ttbomk doesn't have means of > > >construction of provably strong PRNGs, especially scalable ones, and > > with > > >lots of internal state (asymptotically approaching one-time pad > > >properties), and those which can be mapped to silicon real estate > > >efficiently both in time (few gate delays, >GBps data rates) and in > > space > > >(the silicon real estate consumed for each bit of PRNG state). > > > > What is a "provably strong" PRNG? Strong against what? > > If I'm supposed to know this, and have forgotten it, a > > pointer will suffice. I know what the attacks are for a crypto-strong > > plain-ole-analog-based-RNG. > > > > Its quite easy to generate apparently-random (ie, PRNGs) from > > block ciphers being fed, say, integers, or their own output, etc. > > These can be made small and fast in hardware. Large families of > > these can be constructed e.g. by varying bits e.g., in Blowfish's > > S-tables, etc. > > > > > Yes. If you know what PRNG somebody is using and you know the > seed you know the output. Seems to me the best a PRNG > could hope to get is a situation where, looking at a long stream > of output, there's no way of predicting the future output that's > more efficient than guessing the initial seed. I don't think > achieving that is all that hard in practice.
Oh surely you can do better than that - making it hard to guess the seed is also clearly a desirable property (and one that the square root "rng" does not have). Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff