Re: Strong PRNG with AES or 3-DES

Niels Möller (nisse@lysator.liu.se)
22 Oct 1998 01:10:02 +0200

• Next message: Enzo Michelangeli: "Re: Encrypted RMI in JDK < 1.2"
• Previous message: Ben Laurie: "Re: Encrypted RMI in JDK < 1.2"
• In reply to: Bill Frantz: "Re: Encrypted RMI in JDK < 1.2"

Marcus Watts <mdw@umich.edu> writes:

> Writes nisse@lysator.liu.se (Niels =?ISO-8859-1?Q?M=F6ller?=):
> > In the eurocrypt-98 rump session, Adi Shamir proposed the following
> > construction:
> >
> > Given some pseudorandom function F (iirc, Shamir used a hash function,
> > but the same should apply to a block cipher with a fixed (secret)
> > key), construct a sequence by iterating
> >
> > x_0 = some secret seed value
> > x_{i+1} = F(x_i) + i (where + is addition or bitwise xor).
> >

> If F(x) is a block cipher instead of a one-way hash, then it's
> no longer truely a one-way function. That means it's vulnerable
> to a state compromise attack. If the attacker can gain access to
> the internal state he can walk backwards through the function to
> find previous numbers.

You're right, of course.

/Niels

• Next message: Enzo Michelangeli: "Re: Encrypted RMI in JDK < 1.2"
• Previous message: Ben Laurie: "Re: Encrypted RMI in JDK < 1.2"
• In reply to: Bill Frantz: "Re: Encrypted RMI in JDK < 1.2"