Extracting unifrom randomness from noisy source
David Wagner
daw at mozart.cs.berkeley.edu
Tue Aug 6 00:50:28 EDT 2002
Klaus Pommerening wrote:
>Indeed it is. But what about
> pseudo-random = AES_{noise}(k)
>[splitting noise into appropriate blocks] - as long as AES is
>believed to be secure against a known plaintext attack?
Well, I wouldn't recommend it. It has two disadvantages:
o In practice, you can only hash noise samples of up to
256 bits, and this constraint is a big problem. In practice,
it's often a good idea to hash samples from as many sources
as possible, and that may yield may kilobytes of data.
This construction provides no good way to help with this.
o In theory, there's no reason to believe that this method
is any good. For instance, suppose AES had a class of 2^64
weak keys: if the first 64 bits of the key are all zeros, then
encryption is the identity transform. Well, this wouldn't
contradict the assumption of security against known-plaintext
attack, as a random key would be extremely unlikely to fall
in such a class. Yet such a property would make your proposed
construction a not-so-great choice for entropy hashing.
The conclusion is that merely assuming security against
known-plaintext attacks (or even against adaptive chosen
plaintext/ciphertext attacks) is not sufficient to guarantee
that this method is secure, in theory.
In my opinion, SHA1 is superior in every way.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list