[14058] in cryptography@c2.net mail archive
Re: cryptographic ergodic sequence generators?
daemon@ATHENA.MIT.EDU (David Wagner)
Sun Sep 7 14:19:22 2003
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
To: cryptography@metzdowd.com
From: daw@mozart.cs.berkeley.edu (David Wagner)
Date: Sun, 7 Sep 2003 15:18:25 +0000 (UTC)
Reply-To: daw@cs.berkeley.edu (David Wagner)
X-Complaints-To: usenet@abraham.cs.berkeley.edu
Perry E. Metzger wrote:
>I've noted to others on this before that for an application like
>the IP fragmentation id, it might be even better if no repeats
>occurred in any block of 2^31 (n being 32) but the sequence did not
>repeat itself (or at least could be harmlessly reseeded at very very
>long intervals).
Let E_k(.) be a secure block cipher on 31 bits with key k.
(For instance, E might be 16 rounds of Luby-Rackoff using
f(x) = AES_{AES_{k}(i)}(x) as the Feistel function in the ith round.)
Pick an unending sequence of keys k0, k1, k2, ... for E.
Then your desired sequence can be constructed by
E_k0(0), E_k0(1), E_k0(2), ..., E_k0(2^31 - 1),
2^31 + E_k1(0), 2^31 + E_k1(1), 2^31 + E_k1(2), ..., 2^31 + E_k1(2^31 - 1),
E_k2(0), E_k2(1), E_k2(2), ..., E_k2(2^31 - 1),
2^31 + E_k3(0), 2^31 + E_k3(1), 2^31 + E_k3(2), ..., 2^31 + E_k3(2^31 - 1),
...,
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
