From: Matthew B. Landry <mbl@ml7694a.leonard.american.edu>
Date: Wed, 6 Oct 93 15:25:43 PDT
To: Eli Brandt <ebrandt@jarthur.Claremont.EDU>
Subject: Re: Strong PRNGs
Message-ID: <9310062225.AA01850@toad.com>
MIME-Version: 1.0
Content-Type: text/plain


>Another point: it raises the possibility of an interesting loophole
>in the ITAR.  Cryptographic hash functions are exportable, as "systems
>for authentication", or something to that effect.  A random-number
>generator based on a hash function should be exportable.  After all,
>as you say, 
>> I have many uses for random numbers and none of them is XOR encryption.
>
>But such an RNG *could* be used for encryption.  If you package and
>market it as such, you're asking for trouble.  But packaged as a
>library routine in a simulation library?  It's not a fast PRNG, but
>it should be pretty good statistically.
        Does it strike you as ironic that in this atmosphere where "exporting" 
basically secure products like PGP is illegal, that exporting the tools to 
generate one of the best possible (in the security sense) encryption systems 
known to current technology (better than anything that can be implemented in 
software, anyway) would be _legal_, because it also has ample uses that are 
unrelated to cryptography?
        If only One Time Pad style systems weren't so kludgey, this would 
present the _perfect_ solution to our problems with ITAR and the like. 
Unfortunately, there are some things they can't do. Oh well...
        Please don't bother to tell me that we'd need to physically build 
hardware to generate seeds for the hash functions, because I already know that. 
I didn't say it was entirely practical, just that it was an interesting bit of 
irony.
--
Matthew B. Landry
ml7694a@american.edu
(Finally!) mbl@ml7694a.leonard.american.edu