When is the blocking RNG called?

Charles Duffy cduffy at mvista.com
Mon Dec 4 12:48:18 CET 2000

On Mon, Dec 04, 2000 at 08:15:59PM +0100, Bodo Moeller wrote:
> On Sat, Dec 02, 2000 at 10:25:20AM +0800, Enzo Michelangeli wrote:
> > "Bodo Moeller" <bmoeller at hrzpub.tu-darmstadt.de>
> >> Enzo Michelangeli <em at who.net>:
> >>>                                                   I'm pretty happy with a
> >>> PRNG for just every task, as long as two conditions be satisfied:
> >>>
> >>> 1) It must be impossible to guess its future output without knowing its internal state
> >>> (which implies: 1.1 It must be impossible to guess its internal state from its output)
> >>>
> >>> 2) The PRNG is initially seeded with a sufficient amount of entropy
> >>>
> >>> In this case, the generator is as good as a true RNG.
> >> Wrong.  This definition is met by a "PRNG" that outputs only zeros and
> >> never advances its internal state, as long as this internal state
> >> starts with sufficient seeding.
> > Huh? If it outputs only zeros, it's not a PRNG at all, as its future output
> > is totally predictable...
> That's the point.  The requirements that you stated do not cover this problem.
> If the example appears too trivial, think, say, of a PRNG composed of a "bad"
> PRNG and a "good" PRNG such that every other bit is taken from each of
> these PRNGs.  The resulting output will still be bad, even though you
> can neither guess all of the internal state that determines the output
> nor predict all of the future output.

No, his requirements do work -- or, at minimum, your suggestion fails
the definition.

If the "PRNG" outputs only 0s, it is possible to guess its future
output without any knowledge of internal state, thus failing
requirement (1).
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 240 bytes
Desc: not available
Url : /pipermail/attachments/20001204/d828b453/attachment.bin

More information about the Gnupg-devel mailing list