Let me raise a different issue: a PRNG might be better *in practice* 
because of higher assurance that it's actually working as designed at 
any given time.

Hardware random number generators are subject to all sorts of 
environmental issues, including stuck bits, independent oscillators 
that aren't independent, contamination by power line frequency noise, 
etc.  By contrast, a correct implementation of a cryptographic 
algorithm will always function correctly.  (Yes, there could be an 
undetected hardware fault.  Run it three times, on different chips....)

To me, the interesting question about, say, Yarrow is not how well it 
mixes in entropy, but how well it performs when there's essentially no 
new entropy added.  Clearly, we need something to see a PRNG, but what 
are the guarantees we have against what sorts of threats if there are 
never any new true-random inputs?  (Remember the purported escrow key 
generation algorithm for Clipper?  See 
http://www.eff.org/Privacy/Newin/Cypherpunks/930419.denning.protocol
for details.  The algorithm was later disavowed, but I've never been 
convinced that the disavowal was genuine.)

                --Prof. Steven M. Bellovin, http://www.cs.columbia.edu/~smb



---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to