don@allegra.UUCP (12/04/83)
The last thing in the world I would say is that Berkeley's random number generator can form the basis of a cryptographic system that is stronger than DES. The state of the art in cryptography today is far beyond the level of "well, this looks random, let's use it". Considered as polynomials over GF(2), DES is a function of 120 variables with about 2**63 terms. The new random() function in 4.2bsd has a few hundred variables, but only a few dozen terms. It is a MUCH SIMPLER function. DES can be used as a [non-linear] pseudo-random generator in what is called Output Feedback mode (OFB). The plaintext is xor'ed with the sequence R[i+1] = DES(R[i], Key). Presumably, you cannot recover the sequence from a sample because you do not know the Key. In general tho, it is hard to say what non-linear sequences will do. People don't use them because they may have short periods or even converge to a single value after a while! It is hard to determine whether a given sequence will do that. Someone (I believe Davida) has pointed out that it is a good idea not reveal the entire state of the random number generator at once. In other words, you should not xor 4 bytes of plaintext with rand(), but rather you should xor 1 byte of plaintest with ((rand()>>24)&0xff). Another useful concept is to feed back plaintext information into the cryptographic process. Plaintest Autokey (PTAK) systems do that. For instance, one can interate: Cypher[i] = DES(Plain[i], Key); key = Combine(Key, Plain[i]); Finally, you should look at the article "How to Generate Cryptographically Strong Sequences of Pseudo Random Bits" by Manual Blum and Silvio Micali in the 23rd Symposium on Foundations of Computer Science.