building a true RNG
Amir Herzberg
inbox at amir.herzberg.name
Tue Jul 30 10:02:18 EDT 2002
David Wagner said,
> The problem can really be divided into two parts:
> 1. Is our entropy crunching algorithm secure when used with
> a random oracle instead of SHA1?
> 2. Does SHA1 behave enough like a random oracle that the answer
> to question 1. is in any way relevant to the real world?
> I suspect that question 1. is not hard to answer in a formal,
> rigorous, provable way. It is only question 2. that is hard
> to answer. It is absolutely true that we have no proof for
> question 2.
>
> That said, we should keep in mind that none of our
> cryptographic algorithms (even 3DES) come with a proof of
> security. All we have to rest on is years of unsuccessful
> cryptanalysis.
But there's a big difference: the random oracle `assumption` is clearly not
valid for SHA-1 (or any other specific hash function). Since this is
trivial, it is less clear what is the cryptoanalytical problem that SHA1 was
tested for. SHA-1 (and similar functions) were tested mainly for
collision-resistance (and also for one-wayness). But clearly these
properties are not sufficient for the proposed use (to extract entropy).
So the question is again: what is an assumption which we can test SHA-1
against, and which is sufficient to make the `entropy crunching alg` secure?
I found that when trying to explain and define hash functions and their
properties, I didn't find a satisfactory definition for the `randomness`
properties.
Best Regards, Amir Herzberg
See http://amir.herzberg.name/book.html for lectures and draft-chapters
from book-in-progress, `Introduction to Cryptography, Secure Communication
and Commerce`; feedback appreciated!
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list