Re: Strong PRNG with AES or 3-DES

Berke Durak (berke@gsu.linux.org.tr)
Sat, 8 Aug 1998 12:01:55 +0300 (EEST)

• Next message: Rodney Thayer: "Fwd: Re: RC6 legal status"
• Previous message: Alex Alten: "Re: ATM card pins"
• In reply to: David P Jablon: "Re: ATM card pins"
• Next in thread: Mok-Kong Shen: "Re: Strong PRNG with AES or 3-DES"
• Reply: Mok-Kong Shen: "Re: Strong PRNG with AES or 3-DES"

On Fri, 7 Aug 1998, Bob Baldwin wrote:

> I assume that Berke's message about using RC6
> as a strong PRNG was to take advantage of the wide
> block size. That is, RC6 would be used as a stream
> cipher such as counter mode with the PRNG state
> being the secret key and counter value, and perhaps
> the increment value is secret too.
[...]

Thanks to Bob Baldwim for his comment: after reflexion, I noticed that I
made a dangerous mistake while using RC6 as a PRNG. I used the following
scheme

        1.key RC6 with a 128-bit (strong) seed
        2.let B_0 be a null 128-bit RC6 data block; let i be 0 initially
        3.B_{i+1} = E(B_i) (where E is RC6 with the mentioned key)
        4.output B_{i+1} for the pseudorandom stream
        5.goto 3

Nothing guarantees that this algorythm will not fall in a short (i.e. with a
period less than 2^128 iterations) cycle, since the best we know about RC6
is that it acts as a random permutation (as every block cipher is supposed
to be) (knowing better would prove that RC6 has some weaknesses, wouldn't it
?)

Anyway, I'm considering using the following scheme:

        1.key RC6 with a 128-bit strong seed
        2.let A,B,C,D be the 32-bit blocks, with (A,B,C,D)
          forming the 128-bit RC6 block.
          set A,B,C,D initially to zero.
        3.output E(A,B,C,D) for the pseudorandom stream
        4.(A,B,C,D) <- f(A,B,C,D)
          where f is a function such that
          for all (A,B,C,D),
          card { f^i(A,B,C,D) | i in |N } = 2^128.
        5.goto step 3

The simplest f function that comes to mind is incrementation.

However there is no way to access the carry/overflow CPU bits from languages
such as C. The obvious way to increment a 128-bit register formed of 4
32-bit registers is by something like

        if (a == 0xffffffff) b++; a++;
        if (b == 0xffffffff) c++; b++; etc...

of course instead of testing if a register is equal to 0xffffffff, one might
test if it is equal to any other particular value which is more convenient,
e.g. zero.

Does someone know
        1.A more elegant f function (for C implementation)
or 2.A different operation mode for using a block cipher
          as a maximum-length PRNG ?

Berke Durak - berke@gsu.linux.org.tr - http://gsu.linux.org.tr/kripto-tr/
PGP bits/keyID: 2047/F203A409 fingerprint: 44780515D0DC5FF1:BBE6C2EE0D1F56A1

• Next message: Rodney Thayer: "Fwd: Re: RC6 legal status"
• Previous message: Alex Alten: "Re: ATM card pins"
• In reply to: David P Jablon: "Re: ATM card pins"
• Next in thread: Mok-Kong Shen: "Re: Strong PRNG with AES or 3-DES"
• Reply: Mok-Kong Shen: "Re: Strong PRNG with AES or 3-DES"