[3175] in cryptography@c2.net mail archive
Re: Strong PRNG with AES or 3-DES
daemon@ATHENA.MIT.EDU (Mok-Kong Shen)
Mon Aug 10 11:42:58 1998
Date: Mon, 10 Aug 1998 11:18:59 +0100
From: Mok-Kong Shen <mok-kong.shen@stud.uni-muenchen.de>
To: Berke Durak <berke@gsu.linux.org.tr>
CC: aes@suburbia.net, coderpunks@toad.com, cryptography@c2.net
Berke Durak wrote:
> Thanks to Bob Baldwim for his comment: after reflexion, I noticed that I
> made a dangerous mistake while using RC6 as a PRNG. I used the following ...........................
> Anyway, I'm considering using the following scheme:
>
> 1.key RC6 with a 128-bit strong seed
> 2.let A,B,C,D be the 32-bit blocks, with (A,B,C,D)
> forming the 128-bit RC6 block.
> set A,B,C,D initially to zero.
> 3.output E(A,B,C,D) for the pseudorandom stream
> 4.(A,B,C,D) <- f(A,B,C,D)
> where f is a function such that
> for all (A,B,C,D),
> card { f^i(A,B,C,D) | i in |N } = 2^128.
> 5.goto step 3
>
> The simplest f function that comes to mind is incrementation.
>
> However there is no way to access the carry/overflow CPU bits from languages
> such as C. The obvious way to increment a 128-bit register formed of 4
> 32-bit registers is by something like
>
> if (a == 0xffffffff) b++; a++;
> if (b == 0xffffffff) c++; b++; etc...
>
> of course instead of testing if a register is equal to 0xffffffff, one might
> test if it is equal to any other particular value which is more convenient,
> e.g. zero.
>
> Does someone know
> 1.A more elegant f function (for C implementation)
> or 2.A different operation mode for using a block cipher
> as a maximum-length PRNG ?
I wonder whether a method that I employed in another situation of
pseudo-random number generation could be of some use to you. It is
addition of two pseudo-random real numbers streams (in my case in [0,1))
mod 1. Since one can't determine from the result of this addition
the two participating addends, it appears barely possible for
the analyst to determine the two input streams, thus providing
security. I think that if you have two bit streams you can analogously
take 32 bit blocks and do addition mod 2^32 (which on PC is just
the ordinary integer addition, the carry-over beyond the leftmost
bit being simply ignored). For an concrete implementation using the
said method and literature reference of it see
http://www.stud.uni-muenchen.de/~mok-kong.shen/#paper9
I should appreciate very much to know whether my above argument
concerning the security provided by addtion mod 1 is o.k.
M. K. Shen
