[19098] in cryptography@c2.net mail archive
Re: Proving the randomness of a random number generator?
daemon@ATHENA.MIT.EDU (Victor Duchovni)
Sun Dec 4 20:07:33 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Sun, 4 Dec 2005 19:31:47 -0500
From: Victor Duchovni <Victor.Duchovni@MorganStanley.com>
To: cryptography@metzdowd.com
Mail-Followup-To: cryptography@metzdowd.com
In-Reply-To: <d4f1333a0512032047p7916ca54s28d602f1cc077d42@mail.gmail.com>
On Sat, Dec 03, 2005 at 10:47:52PM -0600, Travis H. wrote:
> On 12/3/05, Victor Duchovni <Victor.Duchovni@morganstanley.com> wrote:
> > Actually, this is inaccurate, proving the strength of AES or factoring is
> > difficult, and may never happen, we may even prove AES to be not secure
> > (in a broad sense) some day. Proving an RNG secure is *impossible*.
>
> I'm not sure it's impossible, but you certainly have to restrict the
> scope from "unconditional security", which is an impossibility anyway.
> By analogy, an attacker may have encrypted some plaintext with your
> key and gotten your ciphertext before.
>
> Here is a reasonable security model:
> An attacker has access to all outputs of this PRNG x_0 .. x_n and
> nothing else of relevance.
> Can he guess x_(n+1) with probability greater than chance?
>
Wrong threat model. The OP asked whether the system generating random
numbers can prove them to have been "randomly" generating to a passive
observer. The answer is "no", this is not possible for the reasons
explained before. This is different from security of random numbers I
generate against being predicted by an adversary.
--
/"\ ASCII RIBBON NOTICE: If received in error,
\ / CAMPAIGN Victor Duchovni please destroy and notify
X AGAINST IT Security, sender. Sender does not waive
/ \ HTML MAIL Morgan Stanley confidentiality or privilege,
and use is prohibited.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
