> [EMAIL PROTECTED][SMTP:[EMAIL PROTECTED]] wrote: > > Why would one want to implement a PRNG in silicon, when one can > easily implement a real RNG in silicon? > RNGs and PRNGs serve somewhat different purposes in current cryptographic systems. Both are useful, but it's not clear to me that the Gbit true RNGs are needed.
The defining difference between the two is that if you know the algorithm and seed, the output of a PRNG can be reproduced, at a different time, place. or both. There are circumstances in which this is very much a desired quality. For example, in communications using a stream cipher, is it neccesary that both ends be able to produce that same pseudorandom bitstream. You could not replace RC4 in SSL with an RNG, since both ends need to generate the same sequence. True RNGs are needed for much more limited purposes: generating session keys, initialization vectors, candidate RSA prime numbers, etc. The only high volume use I can think of for a true RNG is the mass production of OTP key material. So my suggestion is that while hardware accelaration of PRNGs may have some usefulness, true RNGs need not have the same performance. I'd rather see people work on making the true RNGs *trustworthy*, which is a much more difficult problem. Peter Trei
