Extracting uniform randomness from noisy source
John Kelsey
kelsey.j at ix.netcom.com
Wed Aug 7 23:13:39 EDT 2002
At 11:03 PM 8/7/02 +0000, David Wagner wrote:
>John Kelsey wrote:
>>b. The first input block is not a random 128-bit value, and can reliably
>>be distinguished from one. In this case, the input just doesn't have full
>>entropy, and any known function you apply to it with a 128-bit output is
>>distinguishable from a random output. A one-way function just makes it
>>harder to distinguish these outputs, for a computationally-bounded
>>attacker. But how important this is depends on our assumptions about the
>>attacker's abilities; if we assume the attacker can do 110-bit searches,
>>then he can generally distinguish the output of *any* known function with
>>only 110 bits of entropy with reasonable probability.
>
>I was assuming that the first block has 80 bits of entropy, and that
>the attacker can't do 80-bit exhaustive searches. In such a scenario,
>my attack applies. The attack does not apply to all scenarios, but in
>cryptanalysis we are usually willing to consider the assumptions most
>favorable to the attacker, as long as they are at all plausible.
Yeah, sorry. I jumped in without realizing my starting assumptions were
different than yours.
--John Kelsey, kelsey.j at ix.netcom.com
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list