Re: [RFC][PATCH] Make cryptoapi non-optional?

From: Jamie Lokier
Date: Fri Aug 15 2003 - 06:53:52 EST

Next message: Catalin BOIE: "Re: 2.6.0: Bad udp checksum in loopback interface (me too!)"
Previous message: Paul Nasrat: "Re: 2.6.0test3mm2 - Synaptics touchpad problem"
In reply to: Val Henson: "Re: [RFC][PATCH] Make cryptoapi non-optional?"
Next in thread: Val Henson: "Re: [RFC][PATCH] Make cryptoapi non-optional?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Val Henson wrote:
> > I still do not see why either F or G are any more secure than SHA.
>
> They aren't, in the sense of cryptographically signing a document.
> They do reveal less information about the input than SHA-1.

Not really. There are two ways in which these functions can reveal
something about the input:

1. Non-random input. An 80 bit signature is virtually as good as a
160 bit signature at confirming an attacker's hypothesis about
the input being among a set of known inputs. It's not like the
kernel is deliberately trying to induce collisions, which is the
usual reason for wanting more signature bits.

2. Random input, i.e. plenty of real entropy. If there is a weakness
in the hash which NSA can use to determine the bit state, then
it's true that F or G _might_ reveal half of the information that
SHA would, if the weakness is also present in F and G. Or it
might reveal much less (Ted's hypothesis for F), or more (see 1).

But! When someone reads x bytes from /dev/urandom, twice as many
hash transforms are performed with F or G than with SHA.

So, if someone reads x bytes, the amount of information revealed
through weakness could be less or more with F or G than with SHA.

> > Unless we're postulating that SHA is deliberately weak, so that the
> > designers have a back door, that is not present in F or G.
>
> That's exactly what Ted described as his reason for doing the folding
> in the first place.

At least that reason makes sense :)

> Matt Mackall simply pointed out that a little bit of information
> theory will show you that throwing away half the output is more
> effective.

No, that depends on the nature of the hypothetical back door.

They could have engineered a back door which is completely present
when you throw the second half of the bits away. Or any half of the
bits. Or when you fold the bits together. Or which reveals some but
less information when you do any of these.

In other words, you can't protect against a deliberate back door in
SHA, you can only try to scramble the output in some way that NSA
didn't prepare for. And then you cannot be sure you succeeded.

-- Jamie

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Catalin BOIE: "Re: 2.6.0: Bad udp checksum in loopback interface (me too!)"
Previous message: Paul Nasrat: "Re: 2.6.0test3mm2 - Synaptics touchpad problem"
In reply to: Val Henson: "Re: [RFC][PATCH] Make cryptoapi non-optional?"
Next in thread: Val Henson: "Re: [RFC][PATCH] Make cryptoapi non-optional?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]