When is the blocking RNG called?
Bodo Moeller
bmoeller at hrzpub.tu-darmstadt.de
Mon Dec 4 20:15:59 CET 2000
On Sat, Dec 02, 2000 at 10:25:20AM +0800, Enzo Michelangeli wrote:
> "Bodo Moeller" <bmoeller at hrzpub.tu-darmstadt.de>
>> Enzo Michelangeli <em at who.net>:
>>> I'm pretty happy with a
>>> PRNG for just every task, as long as two conditions be satisfied:
>>>
>>> 1) It must be impossible to guess its future output without knowing its internal state
>>> (which implies: 1.1 It must be impossible to guess its internal state from its output)
>>>
>>> 2) The PRNG is initially seeded with a sufficient amount of entropy
>>>
>>> In this case, the generator is as good as a true RNG.
>> Wrong. This definition is met by a "PRNG" that outputs only zeros and
>> never advances its internal state, as long as this internal state
>> starts with sufficient seeding.
> Huh? If it outputs only zeros, it's not a PRNG at all, as its future output
> is totally predictable...
That's the point. The requirements that you stated do not cover this problem.
If the example appears too trivial, think, say, of a PRNG composed of a "bad"
PRNG and a "good" PRNG such that every other bit is taken from each of
these PRNGs. The resulting output will still be bad, even though you
can neither guess all of the internal state that determines the output
nor predict all of the future output.
More information about the Gnupg-devel
mailing list