Re: Mersenne Twister - Why a PRNG isn't a OTP

Perry E. Metzger (perry@piermont.com)
Tue, 14 Jul 1998 13:08:42 -0400

• Next message: Anonymous: "Re: Elliptical Curve Encryption"
• Previous message: Mike Rosing: "Re: Elliptical Curve Encryption"
• In reply to: Anonymous: "Re: Elliptical Curve Encryption"
• Next in thread: Bill Stewart: "Re: Mersenne Twister - Why a PRNG isn't a OTP"

"Tom Otvos" writes:
> (Sigh.) So much to learn. Thanks for taking the time to respond in such
> detail. Incidentally, the MT paper does offer that "by a simple linear
> transformation...one can easily guess the present state from a sufficiently
> large size of the output".
>
> But here is one more thought (or question really). If you combine a PRNG
> with a one-way hash, is the output still "random" and more secure?

Might I suggest that rather than using a non-cryptographic PRNG and
attempting to use hard-to-analyze kludges to make it better, why not
start with a cryptographic PRNG instead? We have several available,
and they work nicely. RC4 isn't too shabby for many purposes, and
neither is the use of an algorithm like CAST-128 in output feedback
mode.

> Or, should I just go back to being a passive observer on this list?

Nothing wrong with enthusiasm and participation, but I'd suggest
thoroughly reading two books as soon as you can:

0) Kahn's "The Codebreakers", the original unabridged version.
     Reason: So you'll have some sense of how nasty this stuff gets in
             the real world when lives are on the line.
1) Schneier's Applied Cryptography
     Reason: So you'll understand current cryptographic practice.

Perry

• Next message: Anonymous: "Re: Elliptical Curve Encryption"
• Previous message: Mike Rosing: "Re: Elliptical Curve Encryption"
• In reply to: Anonymous: "Re: Elliptical Curve Encryption"
• Next in thread: Bill Stewart: "Re: Mersenne Twister - Why a PRNG isn't a OTP"