[707] in cryptography@c2.net mail archive
Re: Random numbers from the '60's...
daemon@ATHENA.MIT.EDU (Perry E. Metzger)
Tue May 6 12:17:26 1997
To: colin@nyx.net (Colin Plumb)
cc: cryptography@c2.net
In-reply-to: Your message of "Mon, 05 May 1997 23:07:53 MDT."
<9705060507.AA16619@nyx.net>
Reply-To: perry@piermont.com
Date: Tue, 06 May 1997 12:06:44 -0400
From: "Perry E. Metzger" <perry@piermont.com>
Colin Plumb writes:
> > It feels right, but the times that I've asked smart crypto people
> > (such as Hugo K., and Matt Blaze) for an answer to the question "can
> > you distill entropy with a hash function", I've gotten answers that
> > ranged from "Interesting question!" to "Well, it *should* be possible
> > to answer that question one way or another... I'll try to prove some
> > properties you'd need..."
>
> Actually, it's not that hard to prove, at least until you get to the
> tricky point of proving properties of hash functions.
Colin;
With all due respect, I trust Hugo Krawczyk judgment on such things
very strongly, and he said (in response to my private queries) that he
wasn't sure about the issue offhand. The last time he said something
like that, we ended up having to replace the MAC in the IPSec specs.
BTW, I want to caution people: I have, as I said, no reason to believe
current practice is actually bad, and none of the theory people have
said that they know that it is bad -- they've just (worryingly) said
that they don't truly know that current practice is good...
Perry
