[7495] in cryptography@c2.net mail archive
Re: Extracting Entropy?
daemon@ATHENA.MIT.EDU (Paul Crowley)
Mon Jul 17 20:20:35 2000
To: Ben Laurie <ben@algroup.co.uk>
Cc: Coderpunks <coderpunks@toad.com>, Cryptography <cryptography@c2.net>
From: Paul Crowley <paul@cluefactory.org.uk>
Date: 18 Jul 2000 00:31:24 +0100
In-Reply-To: Ben Laurie's message of "Mon, 19 Jun 2000 22:37:46 +0100"
Message-ID: <878zv0nxkj.fsf@hedonism.subnet.hedonism.cluefactory.org.uk>
A variant on this question that we might see for lots of questions
soon: what's the best way to do this given only AES as a primitive?
Here's a simple way that uses all of the passphrase to control a
cryptographic PRNG that can be used to generate keys or whatever: use
the passphrase as the key to the block cipher, and run it in counter
mode.
If the passphrase is less than 256 bits (32 characters), this works
directly. If it's less than 64 characters, use Triple-AES. In
general, I assume that to use a key n times longer than the native key
length of the block cipher, you need to run it in 2n-1 mode; I'm
pretty sure this is so if the meet-in-the-middle attack is the only
one you have to worry about. Append a 1 bit to the passphrase, then
fill to the next key boundary with zeroes as usual.
This takes O(mn) time, where n is the passphrase length and m is the
number of key bits you need. I suspect any good solution will have
this property. Still, you only have to keyschedule n times and things
should be pretty fast after that.
Any thoughts on the security or efficiency of this proposal?
--
__
\/ o\ paul@cluefactory.org.uk *NOTE NEW EMAIL ADDRESS* \ /
/\__/ Paul Crowley http://www.cluefactory.org.uk/paul/ /~\
