[cryptography] "folded" SHA1 vs HMAC for entropy extraction

Danilo Gligoroski danilo.gligoroski at gmail.com
Thu Jan 5 17:20:08 EST 2012

I would avoid "folding" since it is leaking a tiny information about the
next updated state of the pool.


-----Original Message-----
From: cryptography-bounces at randombit.net
[mailto:cryptography-bounces at randombit.net] On Behalf Of Thor Lancelot Simon
Sent: Thursday, January 05, 2012 10:46 PM
To: ianG
Cc: cryptography at randombit.net
Subject: Re: [cryptography] "folded" SHA1 vs HMAC for entropy extraction

On Fri, Jan 06, 2012 at 07:59:30AM +1100, ianG wrote:
> The way I treat this problem is that it is analogous to inventing
> ones own algorithm.  From that perspective, one can ask:

What is?  The "folded" SHA, or the use of HMAC?

You do understand why it's important to obscure what's mixed back in,
I assume.  If not, read the paper I referenced on the Linux RNG;
by insufficently obscuring what went back into the pool, the
implementors made an attack with only 2^64 complexity possible.

With the constraint that you can't just output exactly what you
mix back in, a plain hash function without some further transformation
won't suffice, whether it's MD4 or SHA512.  I am asking whether the
use of HMAC with two different, well known keys, one for each purpose,
is better or worse than using the "folded" output of a single SHA
invocation for one purpose and the unfolded output of that same
invocation for the other.

cryptography mailing list
cryptography at randombit.net

More information about the cryptography mailing list