On Fri, Aug 29, 2003 at 03:45:50PM -0400, Thor Lancelot Simon wrote: > I think there's some confusion of terminology here. A "time", Ti for each > iteration of the algorithm, is one of the inputs to the X9.17 generator > (otherwise, you might as well just use DES/3DES in any chaining or feedback > mode, for all practical purposes).
Indeed. One of the problems with ANSI X9.17's description of this PRNG is that it isn't obvious that the implementation needs to re-sample DT (it's date/time vector; NIST requires that this changes every round) and re-encrypt it every round. (This error in interpretation is prevalent enough that it is depicted incorrectly in the HAC and Counterpane's PRNG attack paper). ANSI X9.31 does a better job of specifying it. > However, it has always been permitted > to use a free-running counter instead of the time, and indeed the current > interpretation by NIST *requires* that a counter, not the time, be used. "always" is a strong term, but they have allowed it for the last 4 years or so, anyway. I don't think that I've seen any guidance from NIST that disallows an actual clock, but they do want the value to change every round, so it would have to be a fast clock or a slow implementation to fulfill the requirement in this way. Josh --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]