On Wed, Sep 03, 2003 at 08:25:54AM -0700, Joshua Hill wrote: > On Fri, Aug 29, 2003 at 03:45:50PM -0400, Thor Lancelot Simon wrote: > > > However, it has always been permitted > > to use a free-running counter instead of the time, and indeed the current > > interpretation by NIST *requires* that a counter, not the time, be used. > > "always" is a strong term, but they have allowed it for the last 4 years > or so, anyway. I don't think that I've seen any guidance from NIST that > disallows an actual clock, but they do want the value to change every > round, so it would have to be a fast clock or a slow implementation to > fulfill the requirement in this way.
Unfortunately, unless something has changed since the proposed RNG Known Answer Tests were temporarily withdrawn, some of that set of derived requirements would make it impossible to have an implementation that actually used the time in Ti certified. I pointed this out to NIST informally through one of the test labs and was, essentially, told "too bad". It is particualrly amusing that the way the RNG tests were originally specified, they essentially required the algorithm to diverge from all published specifications by adding an additional step, that of checking to see if a Ti value had explicitly been specified for testing purposes; that Ti value was then to be treated as a counter and incremented once per round. I pointed this out and was met with plain old lack of comprehension: in fact, I was told that "since it computes the same function from its inputs to its outputs, it must be the same algorithm". This basically made my jaw drop, but since I didn't feel like arguing about fundamental computer science with the people who were going to be testing my implementation I left it alone. :-/ -- Thor Lancelot Simon [EMAIL PROTECTED] But as he knew no bad language, he had called him all the names of common objects that he could think of, and had screamed: "You lamp! You towel! You plate!" and so on. --Sigmund Freud --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]