cryptographic ergodic sequence generators?
David Wagner
daw at mozart.cs.berkeley.edu
Sun Sep 7 11:18:25 EDT 2003
Perry E. Metzger wrote:
>I've noted to others on this before that for an application like
>the IP fragmentation id, it might be even better if no repeats
>occurred in any block of 2^31 (n being 32) but the sequence did not
>repeat itself (or at least could be harmlessly reseeded at very very
>long intervals).
Let E_k(.) be a secure block cipher on 31 bits with key k.
(For instance, E might be 16 rounds of Luby-Rackoff using
f(x) = AES_{AES_{k}(i)}(x) as the Feistel function in the ith round.)
Pick an unending sequence of keys k0, k1, k2, ... for E.
Then your desired sequence can be constructed by
E_k0(0), E_k0(1), E_k0(2), ..., E_k0(2^31 - 1),
2^31 + E_k1(0), 2^31 + E_k1(1), 2^31 + E_k1(2), ..., 2^31 + E_k1(2^31 - 1),
E_k2(0), E_k2(1), E_k2(2), ..., E_k2(2^31 - 1),
2^31 + E_k3(0), 2^31 + E_k3(1), 2^31 + E_k3(2), ..., 2^31 + E_k3(2^31 - 1),
...,
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list