Hacker News new | ask | show | jobs
by chowells 2657 days ago
I see a flaw with that prng scheme. Since AES is reversible, the 128-bit blocks that make up the output cannot repeat. The output is a permutation of distinct 128-bit blocks. Early in the sequence that only matters a tiny bit, but the longer it goes, the more that tells you about possible upcoming values.
2 comments
maxtaco 2657 days ago
Seems like it's safe for 2^(64) blocks. That should suffice.

https://security.stackexchange.com/questions/27776/block-cha...

link
maxtaco 2657 days ago
In theory you are right, but in practice, flips take fewer than 10 blocks of AES output, so the sequence should look random unless AES is very broken.

Edit (and meta-edit): I changed the wording in the FAQ accordingly.

link