PRNG design document?

Thor Lancelot Simon tls at rek.tjls.com
Wed Sep 3 13:26:38 EDT 2003 

On Wed, Sep 03, 2003 at 08:25:54AM -0700, Joshua Hill wrote:
> On Fri, Aug 29, 2003 at 03:45:50PM -0400, Thor Lancelot Simon wrote:
> 
> > However, it has always been permitted
> > to use a free-running counter instead of the time, and indeed the current 
> > interpretation by NIST *requires* that a counter, not the time, be used.
> 
> "always" is a strong term, but they have allowed it for the last 4 years
> or so, anyway.  I don't think that I've seen any guidance from NIST that
> disallows an actual clock, but they do want the value to change every
> round, so it would have to be a fast clock or a slow implementation to
> fulfill the requirement in this way.

Unfortunately, unless something has changed since the proposed RNG Known 
Answer Tests were temporarily withdrawn, some of that set of derived 
requirements would make it impossible to have an implementation that 
actually used the time in Ti certified.  I pointed this out to NIST 
informally through one of the test labs and was, essentially, told 
"too bad".

It is particualrly amusing that the way the RNG tests were originally 
specified, they essentially required the algorithm to diverge
from all published specifications by adding an additional step, that of
checking to see if a Ti value had explicitly been specified for testing
purposes; that Ti value was then to be treated as a counter and incremented
once per round.   I pointed this out and was met with plain old lack of
comprehension: in fact, I was told that "since it computes the same
function from its inputs to its outputs, it must be the same algorithm".
This basically made my jaw drop, but since I didn't feel like arguing
about fundamental computer science with the people who were going to be
testing my implementation I left it alone. :-/

-- 
 Thor Lancelot Simon	                                      tls at rek.tjls.com
   But as he knew no bad language, he had called him all the names of common
 objects that he could think of, and had screamed: "You lamp!  You towel!  You
 plate!" and so on.              --Sigmund Freud

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list