On Thu, 05 Sep 2013 16:56:38 -0700 John Denker <j...@av8n.com> wrote: > > The generator can > > be easily tested for correct behavior if it is simply a block > > cipher. > > I wouldn't have said that. > > As Dykstra was fond of saying: > Testing can show the presence of bugs; > testing can never show the absence of bugs.
The point is that a deterministic generator operating off of a seed can be validated -- you can assure yourself reasonably easily that the thing is indeed AES in counter mode. A hardware generator can have horrible flaws that are hard to detect without a lot of data from many devices. (The recent break of the Taiwanese national ID card system should be a lesson on that too.) I will remind everyone that the key generation ceremony for the Clipper devices used a deterministic generator for precisely this reason even given that the keys were being escrowed. See Dorothy Denning's old report on that for a reminder. Perry -- Perry E. Metzger pe...@piermont.com _______________________________________________ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography