Re: CSPRNG algorithms
On Fri, Mar 13, 2009 at 1:16 PM, Travis travis+ml-cryptogra...@subspacefield.org wrote: I have never seen a good catalog of computationally-strong pseudo-random number generators. Here is a list of the FIPS-approved random number generators: http://csrc.nist.gov/groups/ST/toolkit/random_number.html NIST Special Publication 800-90 provides recommendations for deterministic random bit generators (not sure why they chose to use DRBG instead of PRNG) based on hash functions, block ciphers, and number theoretic problems (speculation exists that the latter contains a back door). Best regards, Darren Lasko Principal Engineer Advanced Development Group, Storage Products Fujitsu Computer Products of America - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: CSPRNG algorithms
Travis travis+ml-cryptogra...@subspacefield.org writes: I have never seen a good catalog of computationally-strong pseudo-random number generators. It seems that everyone tries to roll their own in whatever application they are using, and I bet there's a lot of waste and inefficiency and re-inventing the wheel involved. If this true, or is there a survey somewhere? I did a (hopefully) reasonably comprehensive analysis of what was around in the late 90s in my thesis, available via http://researchspace.auckland.ac.nz/handle/2292/2310 (there's an updated version available as Cryptographic security architecture: design and verification, published by Springer), specifically chapter 6, Random number generation. This covers PRNGs from AC2, X9.17, PGP 5.x, /dev/random, Skip, ssh (that is, the ssh.com implementation), SSLeay/OpenSSL, CryptoAPI, Capstone/Fortezza, the Intel PIII generator, and some other bits. Peter. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: CSPRNG algorithms
On Mar 13, 2009, at 12:16 PM, Travis wrote: [...] would people like to help me create one by emailing me references to extant PRNG definitions? This paper describes the architecture of a prototype I built at Sun back in 1995 for a random number generating service that ran in user land. It went through a couple revisions, and eventually got ported to the kernel in Solaris 10. http://wikis.sun.com/download/attachments/100794535/CryptoRand- Soley96.pdf The revisions since the paper were fairly minor: using a bigger entropy pool, improving the entropy estimation algorithm, and tweaking the bleed function. I am not sure what changes were made when it was ported to the kernel as I was not directly involved. Unfortunately, the details of the revisions are only documented in the source code. Kind regards, -Bill - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: CSPRNG algorithms
I have never seen a good catalog of computationally-strong pseudo-random number generators. Chapter 3 of Knuth's TAOCP is all about pseudo-random number generators, starting with a fine example of the wrong way to do it. My copy is several thousand miles away but my recollection is that his main advice was to stick to linear congruential PRNGs, perhaps with a buffered postpass to scramble up the order or the results. It's certainly a good place to start. R's, John [Moderator's note: none of the generators in TAOCP are cryptographically strong. They are fine for Monte Carlo simulations and such. --Perry] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: CSPRNG algorithms
On Sat, Mar 14, 2009 at 3:16 AM, Travis travis+ml-cryptogra...@subspacefield.org wrote: I have never seen a good catalog of computationally-strong pseudo-random number generators. It seems that everyone tries to roll their own in whatever application they are using, and I bet there's a lot of waste and inefficiency and re-inventing the wheel involved. If this true, or is there a survey somewhere? If not, would people like to help me create one by emailing me references to extant PRNG definitions? There's a nice survey, with some advice on how to construct a good PRNG, at J. Kelsey, B. Schneier, D. Wagner, and C. Hall Cryptanalytic Attacks on Pseudorandom Number Generators Fast Software Encryption, Fifth International Workshop Proceedings (March 1998), Springer-Verlag, 1998, pp. 168-188. http://www.schneier.com/paper-prngs.html ABSTRACT: In this paper we discuss PRNGs: the mechanisms used by real-world secure systems to generate cryptographic keys, initialization vectors, random nonces, and other values assumed to be random. We argue that PRNGs are their own unique type of cryptographic primitive, and should be analyzed as such. We propose a model for PRNGs, discuss possible attacks against this model, and demonstrate the applicability of this model (and our attacks) to four real-world PRNGs. We close with a discussion of lessons learned about PRNG design and use, and a few open questions. The authors' reputations suggest their advice is probably excellent... ciao, -- -- Jonathan Thornburg [remove -animal to reply] jth...@astro.indiana-zebra.edu Dept of Astronomy, Indiana University, Bloomington, Indiana, USA C++ is to programming as sex is to reproduction. Better ways might technically exist but they're not nearly as much fun. -- Nikolai Irgens
Re: CSPRNG algorithms
On Sat, Mar 14, 2009 at 3:16 AM, Travis travis+ml-cryptogra...@subspacefield.org wrote: I have never seen a good catalog of computationally-strong pseudo-random number generators. It seems that everyone tries to roll their own in whatever application they are using, and I bet there's a lot of waste and inefficiency and re-inventing the wheel involved. If this true, or is there a survey somewhere? If not, would people like to help me create one by emailing me references to extant PRNG definitions? Not complete, but this encyclopedia article has some links: http://en.citizendium.org/wiki/Random_number#Random_sequences_from_physical_phenomena It is a wiki so if you can improve it, please do. No doubt Wikipedia has a list as well. All the usual crypto texts have chapters on it, too. -- Sandy Harris, Quanzhou, Fujian, China - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
