Perry E. Metzger wrote: >I've noted to others on this before that for an application like >the IP fragmentation id, it might be even better if no repeats >occurred in any block of 2^31 (n being 32) but the sequence did not >repeat itself (or at least could be harmlessly reseeded at very very >long intervals).

Let E_k(.) be a secure block cipher on 31 bits with key k. (For instance, E might be 16 rounds of Luby-Rackoff using f(x) = AES_{AES_{k}(i)}(x) as the Feistel function in the ith round.) Pick an unending sequence of keys k0, k1, k2, ... for E. Then your desired sequence can be constructed by E_k0(0), E_k0(1), E_k0(2), ..., E_k0(2^31 - 1), 2^31 + E_k1(0), 2^31 + E_k1(1), 2^31 + E_k1(2), ..., 2^31 + E_k1(2^31 - 1), E_k2(0), E_k2(1), E_k2(2), ..., E_k2(2^31 - 1), 2^31 + E_k3(0), 2^31 + E_k3(1), 2^31 + E_k3(2), ..., 2^31 + E_k3(2^31 - 1), ..., --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]