On Thu, 05 Sep 2013 16:56:38 -0700 John Denker <j...@av8n.com> wrote:
> > The generator can
> > be easily tested for correct behavior if it is simply a block
> > cipher.
> I wouldn't have said that.
> As Dykstra was fond of saying:
>    Testing can show the presence of bugs;
>    testing can never show the absence of bugs.

The point is that a deterministic generator operating off of a seed
can be validated -- you can assure yourself reasonably easily that
the thing is indeed AES in counter mode. A hardware generator can have
horrible flaws that are hard to detect without a lot of data from many
devices. (The recent break of the Taiwanese national ID card system
should be a lesson on that too.)

I will remind everyone that the key generation ceremony for the
Clipper devices used a deterministic generator for precisely this
reason even given that the keys were being escrowed. See Dorothy
Denning's old report on that for a reminder.

Perry E. Metzger                pe...@piermont.com
The cryptography mailing list

Reply via email to