[cryptography] "folded" SHA1 vs HMAC for entropy extraction
danilo.gligoroski at gmail.com
Thu Jan 5 17:20:08 EST 2012
I would avoid "folding" since it is leaking a tiny information about the
next updated state of the pool.
From: cryptography-bounces at randombit.net
[mailto:cryptography-bounces at randombit.net] On Behalf Of Thor Lancelot Simon
Sent: Thursday, January 05, 2012 10:46 PM
Cc: cryptography at randombit.net
Subject: Re: [cryptography] "folded" SHA1 vs HMAC for entropy extraction
On Fri, Jan 06, 2012 at 07:59:30AM +1100, ianG wrote:
> The way I treat this problem is that it is analogous to inventing
> ones own algorithm. From that perspective, one can ask:
What is? The "folded" SHA, or the use of HMAC?
You do understand why it's important to obscure what's mixed back in,
I assume. If not, read the paper I referenced on the Linux RNG;
by insufficently obscuring what went back into the pool, the
implementors made an attack with only 2^64 complexity possible.
With the constraint that you can't just output exactly what you
mix back in, a plain hash function without some further transformation
won't suffice, whether it's MD4 or SHA512. I am asking whether the
use of HMAC with two different, well known keys, one for each purpose,
is better or worse than using the "folded" output of a single SHA
invocation for one purpose and the unfolded output of that same
invocation for the other.
cryptography mailing list
cryptography at randombit.net
More information about the cryptography