Daniel M Gordon. Designing and detecting trapdoors for discrete log cryptosystems (1993). http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.97.3...
 Yvo Desmedt, Peter Landrock, Arjen K. Lenstra, Kevin S. McCurley, Andrew M. Odlyzko, Rainer A. Rueppel, Miles E. Smid: The Eurocrypt '92 Controversial Issue: Trapdoor Primes and Moduli (Panel). 194-199. http://link.springer.com/content/pdf/10.1007%2F3-540-47555-9...
 Miles E. Smid, Dennis K. Branstad. Response to Comments on the NIST Proposed Digital Signature Standard. http://link.springer.com/content/pdf/10.1007%2F3-540-48071-4...
I believe NIST learned their lesson, and it was applied in the design of SHA-3: http://crypto.stackexchange.com/questions/6444/why-are-the-c...
These "numbers up ones sleeve" would only be an issue if they are part of the algorithm itself, like the S-Boxes in the (symmetric) AES algorithm.
Could a cryptographer please explain why it's not feasible to use multiple such PRNG algorithms in both series and parallel, perhaps even shuffling their order dynamically, at, err, random?
Surely most attacks on PRNGs are based upon the assumption that their state can be modelled to expose weaknesses. By viewing an entire, shifting, 'topology' of PRNGs as a single polymorphic source for pseudorandom data, surely this class of attack becomes much more difficult and we avoid either placing absolute trust in a single PRNG author, input entropy source, or a single mathematical approach.
I suppose this has already been done to the extent reasonable and that tradeoffs versus performance and available entropy input rates are probably responsible. But I'd still be keen to hear someone thrash this out in understandable prose.
More to the point, as well as the potential to conceal bugs it also offers the potential to mitigate the impact of bugs. This was the whole point of my question, which despite some interesting responses, basically remains unanswered.
If the hashing algorithm is good, and an attacker is missing some reasonable chunk of the data that went into it, you're getting secure random numbers.
A combination of algorithms is simply a new, more complex algorithm. It may be an obvious and safe algorithm that enhances security, like Truecrypt's option of an AES/Twofish/Serpent cascade, or it may be a totally worthless algorithm -- like if you created a new "hashing" algorithm that consisted of CRC32 followed by SHA256.
As that second example demonstrates, the naïve way of combining hashing algorithms is obviously not safe. If you simply layer them, any one of them could destroy entropy by producing biased/predictable results. Your new algorithm is crippled.
If you try to "mix" them in some other way, all you've done is create a new hashing algorithm and fed it the output of other hashing algorithms. It's perhaps less likely that any one of those sub-algorithms will seriously cripple your system, but it's much more likely that you've made a mistake, and your new algorithm itself produces poor results.
Somewhere along the way, you end up trusting something, even if it's your own algorithm. But since trusting yourself to get crypto right is a bad idea, the next best thing is to trust a well-vetted hashing algorithm, of which there are several that are likely "good enough", and aren't even NSA designed.
If you're super-paranoid about backdoors, RIPEMD-160 might be your best bet -- it's a product of European academia. It gets some use, but not as much cryptanalysis as the SHA family has.
That's true if you combine multiple algorithms conventionally, for example by feeding inputs from one to the other or by passing the original entropy to the two algorithms in parallel.
However, if you run one algorithm independently of another - with completely different entropy sources - then flip between supplying the output of each in rapid succession, then on the face of it for ~50% overheads you have probably mostly mitigated exploitable vulnerabilities in either of the two single PRNGs for most applications. (Optionally add another for more security, and take it a step further...)
You are right that this would need to be done carefully .. perhaps the flip in which PRNG is used for the output stream occurs at hard-to-predict points in time (the range of periods for which, potentially, might be carefully chosen from a range that takes in to account some other cryptographically relevant factors ... from a complete non-cryptographer like me, this might include things like entropy draw size by typical applications (optimizing for multiple PRNGs over a typical application draw), the length of any feedback register or calibration cycle of individual cryptographic client algorithms, etc. Generally this would mean 'pretty frequently but not so frequently that it's predictably useful' - something of a paradox, true.)
In short, I still think this approach may have some merit.
What I said is true no matter how you combine them, including in the manner you propose.
> flip between supplying the output of each in rapid succession
You've just exposed yourself to a possible related-key attack. Also, the effective entropy of your key could be halved simply by one of the PRNGs being compromised, so even absent a related-key attack, you'd better be using an encryption algorithm with a big key size.
(BTW, it's 100% overhead, not 50% overhead.)
(Oh, and if both algorithms happen to be compromised, the results are or might as well be 0-entropy. Yet again, somewhere along the way you end up trusting something.)
> perhaps the flip in which PRNG is used for the output stream occurs at hard-to-predict points in time
"Hard-to-predict" requires a secure random number generator. You've gone on to describe yet another ad-hoc random number generator that you would use in the construction of your random number generator.
Cryptography is hard.
It's a tradeoff for mitigating other, perhaps more realistic attack vectors.
the effective entropy of your key could be halved simply by one of the PRNGs being compromised
Halved is a whole lot better than wholly negated, which was the point of the suggestion.
Architecturally, though, it seems that (dis-)trusting two supposedly PRNG sources is better than all eggs in one basket with one.
Basically, it's a band-aid, but cryptography is rigorous and averse to band-aids, requiring everything to be mathematically proven before use.
It's not enough for an algorithm to "seem reasonable", it must be mathematically proven to have certain properties. It's really an extremely interesting subject to study, I'd give it a go. Join the coursera class on cryptography.
To be honest, I am quite partial to the description of modern economics given by George Soros, namely: the entire thing is based on a false analogy with Newtonian physics.
This is the proverbial 'false sense of security', lent credence by its ... ubiquity ... in the field. Perhaps sometimes mathematicians in general take a not wholly dissimilar bent in their reasoning; ie. they think that because something is proven in a mathematical sense using their current knowledge of viable routes of deducation that it remains 'true' and unassailable.
The threat of someone else having or coming up with a faster physical or logical method of deduction does threaten these assumptions.
The broader goal, then, is not to trust a single PRNG algorithm, or, if possible, branch of mathematics (I am not skilled in that area but heard Pythagorean vs. Elliptic Curve mentioned). I am positing that this level of paranoia is, whilst computationally and resource-wise somewhat more costly, probably a good idea, and that the example of the present article is a good one that demonstrates the efficacy of this line of thinking.
The secondary route of side-channel attacks is also hampered by this strategy, since arbitrary entropy sources (potential side channels) may be (re)assigned to arbitrary PRNG algorithms running in parallel at any time.
In summary: hedge thy bets.
That's because it does.
> The threat of someone else having or coming up with a faster physical or logical method of deduction does threaten these assumptions.
No, it doesn't, because there are no assumptions.
> The broader goal, then, is not to trust a single PRNG algorithm, or, if possible, branch of mathematics.
No, if you don't trust something, use something you do trust. The change you're proposing has more potential to do harm than good, e.g. render nine perfectly good PRNGs broken just because you mixed them with one broken one. If you had only used one PRNG, your adversary had to break that PRNG, but, now that you used ten, he only has to break the weakest one, so you've made things much easier for him.
> whilst computationally and resource-wise somewhat more costly, probably a good idea.
Nope, it probably isn't.
> In summary: hedge thy bets.
In summary, the entire crypto community is smarter than you (or me), and any improvement you (or I) think might work has probably been proven hopelessly broken a thousand times over. There's a reason people use a single PRNG, and the reason is that, when your PRNG's output is provably indistinguishable from true randomness, messing with it will certainly not improve it, and will probably ruin it.
I just want to know what it is.
(Edit as can't reply to child: Sure, but this gets back to the mathematical analysis does not equal real world proof, since we do not know all possible computational (or side channel!) vectors. Assertion otherwise is reminiscent of Socrates: οὖτος μὲν οἴεταί τι εἰδέναι οὐκ εἰδώς, ἐγὼ δέ, ὥσπερ οὖν οὐκ οἶδα, οὐδὲ οἴμαι This man, on one hand, believes that he knows something, while not knowing [anything]. On the other hand, I – equally ignorant – do not believe [that I know anything]. https://en.wikipedia.org/wiki/I_know_that_I_know_nothing ... OK that's weak, but honestly that's how I tend to think (ie. with great cynicism about any assertion) and it serves me alright in general security / non-cryptographic discourse. Basically this approach is treating the PRNG algorithm as a black box, refusing to trust it, and attempting to design a system incorporating the black box along with others claiming the same functionality, based upon that assumption. If this works for any other algorithm - and it seems to - then why not PRNGs? It's not like cryptography has a monopoly as an arbiter of risk. Cryptography is not a silver bullet.)
> and the reason is that, when your PRNG's output is provably indistinguishable from true randomness, messing with it will certainly not improve it, and will probably ruin it.
My intuition is based on the fact that this statement is correct for true random sources: If you take a bunch of random sources that generate streams of bits, then XORing those streams together will result in a stream of uniform and independent random bits if at least one of the source streams is a stream of uniform and independent random bits (this is an elementary argument in probability).
I'm not certain at the moment whether this generalizes to pseudo-random generators, but it seems plausible enough to expect that the XORed bit stream is at least as "good" in terms of pseudo-randomness as the best of the input streams.
Edit: Okay, I just realized that this is obviously false when the input streams themselves are correlated. For example, suppose that one of the input streams is PRNG A, and the other input stream is simply the negation of the output of PRNG A with the same seed. Then the output stream will consist of all 0s, which is not good. Perhaps some result can be salvaged when the seeds of the different PRNGs come from independent, truly random sources, but this means things get very tricky very quickly.
Even if that was impractical, and this is pure conjecture from someone who is not a mathematician or cryptographer, then at the very least they should be well obfuscated, eg. unpredictably delayed throughout a large enough temporal keyspace with a not insignificant degree of feedback, or with large initial random seeds. But I'm not a cryptographer, so that's all baseless assertion. IMHO the notion stands, though.
Edit: nhaehnle, I can't reply to your comment (yet) because it's too deeply nested. I don't know the direct answer, but if you want to do some research yourself, you could do worse then reading this relevant Wikipedia article (https://en.wikipedia.org/wiki/Randomness_extractor) and following the links. They don't talk about provable extractors in the article itself, but you can probably identify at least the right terms you need to search for on arxive or so.
If there is such a better way, then please provide more information - links and such.
The very definition of a pseudo-random number generator is that it's deterministic, i.e. an algorithm. If you know in what the state of the algorithm is, you know what the next number will be. Attempting to add some ad hoc behavior on top of crypto has two common issues:
First, adding of deterministic behavior to deterministic behavior does not in any way spontaneously add randomness (see quote). In fact, it can expose additional state on which an attack can be focused. For instance, perhaps when I learn that the system you are using is an interleaved set of numbers, I can use the starting set from each to guess the seed on which all PRNGs started. Second, crypto PRNGs that are well vetted are already at the top of the game for being apparently random in output. There shouldn't be a need to do anything like what you're suggesting, ever, with a valid PRNG. What Schneier is pointing out is that good crypt doesn't have a whiff of smell. Dual_EC_DRBG does. And, badly. Just use the others, instead.
Importantly, learn the first rule of crypto: Unless you're well versed in crypto, presume you will do a very bad job of trying to implement something yourself. Understand for what the crypto library is meant to be used, understand how to use it properly, and don't try to do something on your own. It is hard for even the experts to do it well. Some simple "why don't I just.." is practically guaranteed to have a flaw. Adding your own deterministic behavior is a sin.
e.g. make thousands upon thousands of functions, where the function names are sequential. Use the data itself to determine which of the functions will be called. Allow functions to call each other based on the random number values it calculates from its true random input. To figure out how much random data to produce, simply add an extra bit that is passed along to all the functions that indicates depth (how much show the true random data be processed before returning it to the program that needs a random number). This approach would produce a lot more random data that could only be determined if you knew the original true random data input and the amount of entropy that was required at the time since you'd need to know the depth used to know when to exit the functions.
This is the most concise and meaningful argument against the proposed approach thus far. Hats off.
OK, but the point was that if we approach PRNGs like any other element of a secure system, ie. without trust, as the article was suggesting, then combining them in some way may assist with QA on the overall output. (Example: I mean, we don't trust the NSA - but do we trust Schneier? He could be paid handsomely by the NSA as a false stooge and EFF board plant, who are we to know? And if you're an overseas government without a native cryptographic/cryptanalytic tradition, would you trust him? He's a US citizen connected to BT - that's UKUSA - two of the 'five eyes'!)
Similar to how multiple hashing algorithms are often used to preserve overall functional integrity in the case of individual hash function vulnerabilities that enable an attacker to propose collisions.
A lot of people have responded suggesting there is no way to combine PRNGs to offset the risk of a single PRNG's potential compromise, however I have not seen any citations to this effect and it does really make logical sense to me. Arguments tend to fall back to table-thumping on mathematical proofs, which is a demonstrably naieve way of building a secure system if, for example, your mathematical process, computational platform or side-channel security assumptions are outmoded by an attacker.
His answer, of course, is both simple and perceptive... somehow we all missed it. Cheers, Bruce!
Of course it's feasible.
The question is never about how to add a whole bunch of rounds, or multiple ciphers, to make something secure. The question is always security for a given unit of performance.
With no performance constraints, just use any old thing for a thousand rounds.
It is possible that the NSA want other nations to have the impression that NSA audited communications protocols are insecure or may contain backdoors. They have never expressly come out to deny any of these accusations.
The involvement of the NSA thus doesn't imply that they wish to weaken standards. Perhaps they want people like Schneier to question the security of these protocols and create a false aura of potential vulnerability so that their opponents don't make use of them.
said another way, what relates the two events in the editorialized title? Just an end of the innocence type vibe? Trusting the sigint guys to design your crypto has always been a well acknowledged double edged sword.
Or, much more likely I think, it was just a project that some NSA employees had sitting around and they wanted to get something out of it. In that case we learn that the NSA isn't so far ahead of academic cryptographers that their designs will always be better.
Either way I don't find this as scary a story as Schneier does.
I don't know much at all about cryptography, but why aren't all the natural sources of entropy an adequate source of random numbers?
A busy webserver does this much more often than it can easily generate entropy for. So you have to take shortcuts. That's where a pseudo-random number generator comes in.
If I had to hazard a guess, I'd say that this isn't often done simply because computers didn't typically have a lot of sensors until recently, and now you're likely to have a good-quality dedicated hardware random number generator built in, e.g. Intel's RDRAND instruction.
I thought it was done a lot, for example, in the Linux kernel: "The random number generator gathers environmental noise from device drivers and other sources into an entropy pool." 
(Edit: that is, the noise introduced in a circuit by the fact that it's not at absolute zero, e.g. Johnson noise. Not just gathering entropy from a temperature sensor reading or something like that.)
Also I believe that is where /dev/random might get some of its information from, but I'm not too sure.
In general you can tell exactly what compression was used because protocols start out in the clear and include some sort of negotiation. https://en.wikipedia.org/wiki/Transport_Layer_Security#Proto...
However both ends can separately agree that if they select one cipher suite, they will be secretly using a different one.
In cases where the key does not need to be memorized, a simple XOR cipher provides the property that you can create a "key" for any ciphertext and desired message.
I have an hard time even trusting AES.
Honestly I think those issues (like cryptanalysis) are totally out of reach by the public to comprehend, it's hard to really know how to make strong assumptions.
Seriously though, have we the people figured out this sequence yet? If there is a base sequence, and a relationship to a second sequence, I feel like this can't be too difficult to figure out mathematically, or through brute force means. Can someone who actually knows what they're talking about properly rebut me?
Generally the entropy needs to be secret to be effective so sourcing remote entropy reduces your security to that of the transport security (if any). It's hard to imagine a situation where you have a secure transport mechanism but do not have enough entropy since most encryption schemes that you might use to secure the transmission require secure random number generation.
Disclaimer: I am not a cryptographer, cryptology frightens and confuses me.
If I understand this correctly, most channel securing schemes require RNG for key exchange (e.g "no prior knowledge" DH key exchange) or pair generation (RSA), then you can move on to a symmetric cipher (whose key is derived from the resulting DH shared secret, or exchanged encrypted via RSA), which requires no RNG (until you want to change the key for PFS).
So one can assume scenario where only a quantum of entropy is needed to establish a secure connection, then refuel the entropy bucket with random data transmitted over the now secure yet "non entropy consuming" channel.
I don't know if it's in Windows 8 or not.
> The dual elliptic curve random-number generator algorithm.
> Windows 8: Beginning with Windows 8, the EC RNG algorithm supports FIPS 186-3. Keys less than or equal to 1024 bits adhere to FIPS 186-2 and keys greater than 1024 to FIPS 186-3.