[cryptography] Duplicate primes in lots of RSA moduli
iang at iang.org
Sat Feb 18 07:14:03 EST 2012
On 18/02/12 23:05 PM, Peter Gutmann wrote:
> Morlock Elloi<morlockelloi at yahoo.com> writes:
>> Properly designed rngs should refuse to supply bits that have less than
>> specified (nominal) entropy. The requestor can go away or wait.
> So you're going to sacrifice availability for some nebulous (to the user)
> level of security. What do you think the survivability of this "feature" will
> be in the real world?
To some extent this is an argument over designs & definitions. It seems
that we've reached a sort of consensus on definitions:
an RNG should deliver a quality of entropy, on which demand, it may
insist "none at the moment"
a PRNG should deliver a quantity with some hopeful quality, and
should therefore simply deliver a steady stream regardless of its state.
It is happy to deliver with a seed of 0.
Which latter probably implies that any PRNG is a "perfect" PRNG as per
the NIST concept of fully deterministic, fully testable, and it is up to
the User to provide the entire seed.
If the User chooses to hook her RNG output up to her PRNG input, then
that works too, but she's then in charge of both variables.
More information about the cryptography