Other Directory Sites: SeekWonder | Directory Owners Forum
The following archive was created by hippie-mail 7.98617-22 on Fri Aug 21 1998 - 17:20:31 ADT
Cicero (cicero@redneck.efga.org)
17 Jul 1998 07:12:14 -0000
Mike Rosing wrote:
>On 16 Jul 1998, Cicero wrote:
>
>> Even if I had a RNG whose manufacturer I trusted, how would I know it
>> was not defective, or that the maker, though honest, had not erred
>> either in design or in manufacture, or had degraded since manufacture?
>
>Because you can test it continuously. In 1970 Herschell Murry pointed out
>how to do this with a set of parallel random bit generators using any
>noise source.
Statistical tests can demonstrate failure, but not success. Any good
PRNG will pass all such tests, with a seed of 0, and you know there is
no entropy there. If Murry has a test that will distinguish a RNG
from a PRNG I would be surprised.
>> I can read the source for my software PRNG.
>
>And I can read the source for my hardware RNG.
You are correct here. I can verify that my hash really is the SHA-1
in FIPS 180-1, and you can verify that your hardware design is one
which has been just as extensively analysed. Can you cite an example
of such a design?
>Both can be tested the same way.
>What do you do if your PRNG fails a test once? Chuck it?
>or consider it a minor problem because you only saw it fail once?
If you could demonstrate SHA-1 giving output that failed statistical
tests, I'd be initially surprised, then (after verifying the
experiment) very impressed. An analysis would ultimately show SHA-1
broken, and yes, at that time I would chuck it. A single SHA-1 output
with 0xdeadbeef in it would not cause me concern. If you produced a
collision, that would be another matter.
>> Using a RNG only, limits you to the strength of the RNG, which may be
>> difficult to assess.
>
>It's actually quite easy to check on a continuous basis. If it differs
>from what you expect, you can halt it and check the electronics (or in a
>cost critical situation just replace it).
I can run specific test vectors to gain some confidence that my PRNG
is the one that I think it is, but no tests that you can run will
distinguish a correct RNG from a PRNG, or distinguish one RNG from
another (unless one is broken), or give you confidence that your RNG
is the one that you thought it was. If I switch your chip with one
that produces 3DES OFB output, you can never find out without
inspecting the hardware. The output will not differ from what you
would expect.
>Now don't get me wrong, PRNG are very important for crypto purposes. But
>to say they can replace hardware RNG because you don't know what the RNG
>is doing is complete fallacy with a long history of proof.
I am not advocating replacement at all. I need RNGs for seed
material; no PRNG can function without a seed. I suggest that the
best use of RNGs may be limited to that.
Cicero
The following archive was created by hippie-mail 7.98617-22 on Fri Aug 21 1998 - 17:20:31 ADT