[Cryptography] Generating random values in a particular range
Ray Dillinger
bear at sonic.net
Sun Aug 7 14:45:16 EDT 2016
On 08/06/2016 11:13 AM, dj at deadhat.com wrote:
> My reading of the patent is that it says - Instead of pulling a random
> number until we find one where H(rn)<q, we pull one random number, seed a
> PRNG with it and pull from the PRNG until we find one where H(rn)<q.
>
> The PRNG they propose is CTR mode, but using a hash instead of a block
> cipher.
>
> This is no different to pulling from a RNG that presents a PRNG seeded
> from an entropy source until you get one where H(rn) < q. It's just moving
> the boundary.
You still wind up with sets of different possible numbers having
different probability. The set sizes and the differences in probability
are unchanged. The only difference is that now the sets are less
obviously correlated. ie, you don't have "all numbers less than x" and
"all numbers greater than x" with different probabilities, you have
sets the same size but with the set membership now spread across the
full range of possible outputs.
This will make a primitive magnitude-bias test pass (in the long
run the average of all outputs does not drift away from the
expected mean nearly as fast). But it will still fail any
selection-bias test, because it doesn't actually make the choice
among numbers in a way that's any less biased.
Bear
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20160807/abec2fad/attachment.sig>
More information about the cryptography
mailing list