[11386] in cryptography@c2.net mail archive
Re: Extracting uniform randomness from noisy source
daemon@ATHENA.MIT.EDU (John Kelsey)
Wed Aug 7 23:22:18 2002
Date: Wed, 07 Aug 2002 23:13:39 -0400
To: daw@mozart.cs.berkeley.edu (David Wagner),
cryptography@wasabisystems.com
From: John Kelsey <kelsey.j@ix.netcom.com>
In-Reply-To: <ais904$i5s$1@abraham.cs.berkeley.edu>
At 11:03 PM 8/7/02 +0000, David Wagner wrote:
>John Kelsey wrote:
>>b. The first input block is not a random 128-bit value, and can reliably
>>be distinguished from one. In this case, the input just doesn't have full
>>entropy, and any known function you apply to it with a 128-bit output is
>>distinguishable from a random output. A one-way function just makes it
>>harder to distinguish these outputs, for a computationally-bounded
>>attacker. But how important this is depends on our assumptions about the
>>attacker's abilities; if we assume the attacker can do 110-bit searches,
>>then he can generally distinguish the output of *any* known function with
>>only 110 bits of entropy with reasonable probability.
>
>I was assuming that the first block has 80 bits of entropy, and that
>the attacker can't do 80-bit exhaustive searches. In such a scenario,
>my attack applies. The attack does not apply to all scenarios, but in
>cryptanalysis we are usually willing to consider the assumptions most
>favorable to the attacker, as long as they are at all plausible.
Yeah, sorry. I jumped in without realizing my starting assumptions were
different than yours.
--John Kelsey, kelsey.j@ix.netcom.com
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@wasabisystems.com
