Bob Baldwin (baldwin@rsa.com)
Fri, 7 Aug 1998 10:00:44 -0700
I assume that Berke's message about using RC6
as a strong PRNG was to take advantage of the wide
block size. That is, RC6 would be used as a stream
cipher such as counter mode with the PRNG state
being the secret key and counter value, and perhaps
the increment value is secret too. The creation of
the internal state from the seed bytes can be done
using one of the algorithms in section 18.11 of Schneier
for creating one-way functions from block ciphers.
The Davies-Meyer's construct would work well with 3-DES.
All the AES submissions support large block sizes
so which ever one is picked could be used as a strong PRNG.
I hope NIST actually recommends a specific mode
of operation for this.
In the short run, you can do a similar algorithm
using a 64 bit block cipher with a large key (e.g.,
triple-DES, idea, RC5, Cast, Safer, etc.). If you need
a cycle length greater than 2**64, then you can use
the block cipher to compute the CBC residue of a large
counter (say 128 bits). For best results the counter
should be incremented by a large value so both the
first and second 64-bit blocks change with each state
increment.
--Bob Baldwin
RSA Data Security
The following archive was created by hippie-mail 7.98617-22 on Sat Apr 10 1999 - 01:10:56