[7502] in cryptography@c2.net mail archive
Re: Extracting Entropy?
daemon@ATHENA.MIT.EDU (Arnold G. Reinhold)
Wed Jul 19 09:34:37 2000
Mime-Version: 1.0
Message-Id: <v04210108b59ad02becec@[24.218.56.92]>
In-Reply-To: <878zv0nxkj.fsf@hedonism.subnet.hedonism.cluefactory.org.uk>
Date: Tue, 18 Jul 2000 23:29:06 -0400
To: Paul Crowley <paul@cluefactory.org.uk>, Ben Laurie <ben@algroup.co.uk>
From: "Arnold G. Reinhold" <reinhold@world.std.com>
Cc: Coderpunks <coderpunks@toad.com>, Cryptography <cryptography@c2.net>
Content-Type: text/plain; charset="us-ascii" ; format="flowed"
At 12:31 AM +0100 7/18/2000, Paul Crowley wrote:
>A variant on this question that we might see for lots of questions
>soon: what's the best way to do this given only AES as a primitive?
>
>Here's a simple way that uses all of the passphrase to control a
>cryptographic PRNG that can be used to generate keys or whatever: use
>the passphrase as the key to the block cipher, and run it in counter
>mode.
>
>If the passphrase is less than 256 bits (32 characters), this works
>directly. If it's less than 64 characters, use Triple-AES. In
>general, I assume that to use a key n times longer than the native key
>length of the block cipher, you need to run it in 2n-1 mode; I'm
>pretty sure this is so if the meet-in-the-middle attack is the only
>one you have to worry about. Append a 1 bit to the passphrase, then
>fill to the next key boundary with zeroes as usual.
>
>This takes O(mn) time, where n is the passphrase length and m is the
>number of key bits you need. I suspect any good solution will have
>this property. Still, you only have to keyschedule n times and things
>should be pretty fast after that.
>
>Any thoughts on the security or efficiency of this proposal?
>--
I don't understand how a meet-in -the-middle attack applies to
passphrase entropy extraction. Longer running time may be desirable
from a key stretching perspective, but I don't see a security
requirement. Am I missing something?
Arnold Reinhold
