|
|
|
|
|
|
by alexjeffrey
4288 days ago
|
|
|
your assumptions about cryptographically secure pseudorandom number generators (CSPRNGs for short) are incorrect - one of the key requirements of secure random number generation is the inability to predict future state given previous state. See http://en.wikipedia.org/wiki/Cryptographically_secure_pseudo..., particularly the part about the next-bit test. The bit about RSA aiding the NSA is spot-on though, if dual EC DRBG is in fact backdoored. |
|
|
Obviously it's a requirement to not be able to predict the future of a prng given output from one. However (and the video discussed this!) that requirement may be violated, either accidentally or on purpose.
Therefore, these protocols should be implemented in such a way that they are more robust to defects in prngs. One such way is, obviously, not putting the output of a prng in the clear, then using the next bits out of that prng.