passphrases with more than 160 bits of entropy
Stefan Lucks
lucks at th.informatik.uni-mannheim.de
Wed Mar 22 02:25:47 EST 2006
> Does anyone have a good idea on how to OWF passphrases without
> reducing them to lower entropy counts? That is, I've seen systems
> which hash the passphrase then use a PRF to expand the result --- I
> don't want to do that. I want to have more than 160 bits of entropy
> involved.
What kind of application are you running, that > 150 bits of entropy is
insufficient?
> I was thinking that one could hash the first block, copy the
> intermediate state, finalize it, then continue the intermediate result
> with the next block, and finalize that. Is this safe? Is there a
> better alternative?
As I understand your proposal, you split up the passphrase P into L Blocks
P_1, ..., P_L, (padding the last block P_L as neccessary) and then you
output L*160 bit like this:
F(P) = ( H(P_1), H(P_1,P_2), ..., H(P_1, P_2, ..., P_L) ).
This does not look like a good idea to me:
1. If the size of the P_i is the internal block size of the hash
function (e.g., 512 bit for SHA-1, SHA-256, or RIPEMD-160) and
your message P=P_1 is just one block long, you definitively end
with (at most) 160 bit of entropy, how large the entropy in P_1
is (could be 512 bit).
2. If the local entropy in each block P_i (or even the conditional
entropy in P_i, given all the P_{i-1}, ..., P_1) is low, then you
can step by step find P. This function F(P) is thus *much* *worse*
than its simple and straight counterpart H(P).
3. In fact, to calculate the entropy of F(P), you can take the
conditional entropy in P_i. The entropy of F(P) is close to the
maximum of these conditional entropies ...
Any better solution I can think of will be significantly less performant
than just applying H(P). One idea of mine would be the function G:
* Let <i> be a counter of some fixed size, say 32 bit.
* Let J+1 be the number of 160-bit values you need (e.g., J = 4*L).
* G(P) = ( H(P_1,<0>,P_1,P_2,<0>,P_2, ..., P_L,<0>,P_L),
H(P_2,<1>,P_2, ..., P_L,<1>,P_L,P_1,<1>,P_1),
...
H(P_L,<J>,P_L,P_1,<J>,P_1, ..., P_{L-1},<J>,P_{L-1})
)
Would that be OK for you application?
In any case, I think that using a 160-bit hash function as a building
block for a universal one-way function with (potentially) much more than
160-bit of entropy is a bit shaky.
--
Stefan Lucks Th. Informatik, Univ. Mannheim, 68131 Mannheim, Germany
e-mail: lucks at th.informatik.uni-mannheim.de
home: http://th.informatik.uni-mannheim.de/people/lucks/
------ I love the taste of Cryptanalysis in the morning! ------
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list