[7347] in cryptography@c2.net mail archive
Re: Extracting Entropy?
daemon@ATHENA.MIT.EDU (Matt Blaze)
Mon Jun 19 22:46:15 2000
Message-Id: <200006192348.TAA03316@fbi.crypto.com>
To: Ben Laurie <ben@algroup.co.uk>
Cc: Coderpunks <coderpunks@toad.com>, Cryptography <cryptography@c2.net>
In-Reply-To: Message from Ben Laurie <ben@algroup.co.uk>
of "Tue, 20 Jun 2000 00:36:33 BST." <394EAE81.725D0DB4@algroup.co.uk>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Mon, 19 Jun 2000 19:48:58 -0400
From: Matt Blaze <mab@research.att.com>
Well, this is not intended as a general hash function - in particular, the
pattern of which input bits affect which output bits depends entirely on
the hash function and the bit position and not on the actual input. You
expect that flipping any one input bit will flip half the outputs, but
its always the same ones. This is probably OK for converting passwords
into key material (and actually makes it easier to show that you aren't
destroying any input entropy), but is an awful property for a general
cryptographic hash.
-matt
> Matt Blaze wrote:
> >
> > I should point out that this construction is not designed to obscure the
> > input from the output (especially under differential probing), only
> > to give you m output bits that depend (each in a different way) on
> > the entire input.
>
> Perhaps I should add that as a requirement. OTOH, assuming H is perfect,
> wouldn't that make this construction resistant? But I assume you are
> reluctant to attempt to prove that.
>
> Cheers,
>
> Ben.
>
> --
> http://www.apache-ssl.org/ben.html
>
> Coming to ApacheCon Europe 2000? http://apachecon.com/
