Let me raise a different issue: a PRNG might be better *in practice* because of higher assurance that it's actually working as designed at any given time.
Hardware random number generators are subject to all sorts of environmental issues, including stuck bits, independent oscillators that aren't independent, contamination by power line frequency noise, etc. By contrast, a correct implementation of a cryptographic algorithm will always function correctly. (Yes, there could be an undetected hardware fault. Run it three times, on different chips....) To me, the interesting question about, say, Yarrow is not how well it mixes in entropy, but how well it performs when there's essentially no new entropy added. Clearly, we need something to see a PRNG, but what are the guarantees we have against what sorts of threats if there are never any new true-random inputs? (Remember the purported escrow key generation algorithm for Clipper? See http://www.eff.org/Privacy/Newin/Cypherpunks/930419.denning.protocol for details. The algorithm was later disavowed, but I've never been convinced that the disavowal was genuine.) --Prof. Steven M. Bellovin, http://www.cs.columbia.edu/~smb --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]