[cryptography] Duplicate primes in lots of RSA moduli

ianG iang at iang.org
Sat Feb 18 07:14:03 EST 2012


On 18/02/12 23:05 PM, Peter Gutmann wrote:
> Morlock Elloi<morlockelloi at yahoo.com>  writes:
>
>> Properly designed rngs should refuse to supply bits that have less than
>> specified (nominal) entropy. The requestor can go away or wait.
>
> So you're going to sacrifice availability for some nebulous (to the user)
> level of security.  What do you think the survivability of this "feature" will
> be in the real world?


To some extent this is an argument over designs & definitions.  It seems 
that we've reached a sort of consensus on definitions:

     an RNG should deliver a quality of entropy, on which demand, it may 
insist "none at the moment"

     a PRNG should deliver a quantity with some hopeful quality, and 
should therefore simply deliver a steady stream regardless of its state. 
  It is happy to deliver with a seed of 0.

Which latter probably implies that any PRNG is a "perfect" PRNG as per 
the NIST concept of fully deterministic, fully testable, and it is up to 
the User to provide the entire seed.

If the User chooses to hook her RNG output up to her PRNG input, then 
that works too, but she's then in charge of both variables.



iang



More information about the cryptography mailing list