On Thu, 05 Sep 2013 16:56:38 -0700 John Denker <[email protected]> wrote: > > The generator can > > be easily tested for correct behavior if it is simply a block > > cipher. > > I wouldn't have said that. > > As Dykstra was fond of saying: > Testing can show the presence of bugs; > testing can never show the absence of bugs.
The point is that a deterministic generator operating off of a seed can be validated -- you can assure yourself reasonably easily that the thing is indeed AES in counter mode. A hardware generator can have horrible flaws that are hard to detect without a lot of data from many devices. (The recent break of the Taiwanese national ID card system should be a lesson on that too.) I will remind everyone that the key generation ceremony for the Clipper devices used a deterministic generator for precisely this reason even given that the keys were being escrowed. See Dorothy Denning's old report on that for a reminder. Perry -- Perry E. Metzger [email protected] _______________________________________________ The cryptography mailing list [email protected] http://www.metzdowd.com/mailman/listinfo/cryptography
