RFC 4086, "Randomness Requirements for Security", June 2005Source of RFC: IETF - NON WORKING GROUP
Area Assignment: sec
Errata ID: 3105
Status: Held for Document Update
Reported By: Florian Weimer
Date Reported: 2012-02-05
Held for Document Update by: Sean Turner
Section 6.2.2 says:
If one uses no more than the: log ( log ( s ) ) 2 2 i low-order bits, then predicting any additional bits from a sequence generated in this manner is provably as hard as factoring n.
It should say:
As noted by Koblitz and Menezes in "Another look at provable security II", <http://eprint.iacr.org/2006/229.pdf>, this recommendation is based on a misinterpretation of the big-O notation. The claim about provable security is therefore misleading.