> [...] > The Yarrow RNG uses counter-mode as a PRNG. However in the paper they > describe some effects you may want to avoid by re-keying depending on > your application as the stream becomes distinguishable from random > output. > > Adam
This is essentially because if your output sequence of n-bit blocks were really random, you would expect to see a collision between two n-bit blocks after seeing about 2^(n/2) block outputs (birthday paradox), but using a block cipher with a counter gives you no collision before 2^n block outputs. This is indeed why in the Yarrow design they suggest to re-key after 2^(n/3) block outputs. --Anton --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
