On Jun 18, 2012, at 11:21 52PM, ianG wrote:
>
>
> Then there are RNGs. They start from a theoretical absurdity that we cannot
> predict their output, which leads to an apparent impossibility of
> black-boxing.
>
> NIST recently switched gears and decided to push the case for deterministic
> PRNGs. According to original thinking, a perfect RNG was perfectly
> untestable. Where as a perfectly deterministic RNG was also perfectly
> predictable. This was a battle of two not-goods.
>
> Hence the second epiphany: NIST were apparently reasoning that the
> testability of the deterministic PRNG was the lesser of the two evils. They
> wanted to black-box the PRNG, because black-boxing was the critical
> determinant of success.
>
> After a lot of thinking about the way the real world works, I think they have
> it right. Use a deterministic PRNG, and leave the problem of securing good
> seed material to the user. The latter is untestable anyway, so the right
> approach is to shrink the problem and punt it up-stack.
>
There's evidence, dating back to the Clipper chip days, that NSA feels the same
way. Given the difficulty of proving there are no weird environmental impacts
on hardware RNGs, they're quite correct.
--Steve Bellovin, https://www.cs.columbia.edu/~smb
_______________________________________________
cryptography mailing list
[email protected]
http://lists.randombit.net/mailman/listinfo/cryptography
