Steve Bellovin writes: (quoting me and Perry)
Timothy C. May says:
I don't think generating random numbers is all that much of a priority. The Blum-Blum-Shub C code is available, and I defy anyone to break _that_ PRNG!
Its partially a question of speed. Many applications, like one time pads, are just too slow to generate random strings for given normal techniques. Its partially a question of automation -- I'd like to be able to generate public/private key pairs on a regular basis and its hard to do given all the goddamn typing. Its partially a question of abstract hacker satisfaction -- one would like to know that one's numbers are RANDOM.
That isn't a matter of ``abstract hacker satisfaction''. That's a very strong security requirement: how do you *know* that your keys are random?
Tim May suggested using Blum-Blum-Shub. Fine -- but how are you going to seed it? That's why I want real random numbers -- as a seed to Blum-Blum-Shub or quintuple IDEA or MD5 composed with SHS' or whatever. I probably wouldn't use the random numbers in raw form, though -- and no one else does, either; the real random number generators I've seen all incorporate some sort of scrambling function.
My point, not shown above, was not that a good RNG based on physical sources isn't needed. I would in fact buy one, if only for playing with it, if it was cheap enough (the $25 numbers sounded reasonable). Rather, my main point was that we've seen this proposal for a RNG dongle at least 4 or 5 times before. Sort of like the t-shirt proposals, except with t-shirts the problems are simpler, the pathway clearer, and eventually someone goes ahead and starts the process and t-shirts come out the other end. With crypto dongles discussed here over the past year and a half, there is typically a flurry of "wouldn't it be nice" and "it ought to be easy to reverse bias a diode" and "what about alpha particles?" posts and "why doesn't someone do it?" messages, and, then.....silence. Until the next flurry, of course. I have not called for a cheap RNG, so I am not obligated to put up or shut up. For those who have claimed it ought to be easy, here's your chance! (I worry less about random numbers because I believe an attack on one's PGP messages is much, much likelier to come from inadvertent revealing of one's key and passphrase, through the usual means, than through an attack based on the nonmaximal entropy of the random numbers generated. But if better random numbers are essentially free... Of course, there's then the possibility that one's RNG dongle is actually generating nonrandom bits--maybe NIST and NSA can license RNGs and sell "Ripper" chips?) I'll commit right now to paying $25 for a serial port dongle that "looks like" a standard serial port device (a modem, for example, looking like a modem hooked up at 19,200 or better to the Cosmic Random Number). It won't even have to have drivers to talk to it...I'll buy the dongle first and worry about that later. (The dongle must meet certain basic requirements, such as outputting bits of the right amplitude. No RS-232 connectors with 1K resistors soldered across the pins, please.) --Tim May -- .......................................................................... Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@netcom.com | anonymous networks, digital pseudonyms, zero 408-688-5409 | knowledge, reputations, information markets, W.A.S.T.E.: Aptos, CA | black markets, collapse of governments. Higher Power: 2^859433 | Public Key: PGP and MailSafe available. "National borders are just speed bumps on the information superhighway."