Re: /dev/random and /dev/psaux: too much entropy assumed?

C. Scott Ananian (cananian@lesser-magoo.lcs.mit.edu)
Tue, 1 Jun 1999 17:11:42 -0400 (EDT)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: David Hinds: "(no subject)"
Previous message: Jordan Mendelson: "XTP: A better TCP than TCP"

On Tue, 1 Jun 1999, David Whysong wrote:

> On Tue, 1 Jun 1999, C. Scott Ananian wrote:
> >On 1 Jun 1999, Florian Weimer wrote:
> >> further question: The implementation of /dev/random assumes that the
> >> output of the SHA-1 hash function is random for random (or almost random)
> >> input. Neither the people on sci.crypt nor I know of any analysis
> >> of SHA-1 in this direction (which doesn't prove anything of course).
[...]
> >Patent issues, I strongly suspect. And most of the applications for
> >/dev/random don't actually require 'uniformly distributed' output (which
> >is my guess as to what you mean by 'random'); rather they require
> >'unguessable' output. SHA-1, being a strong one-way function, provides
> >unguessable output.
[...]
> What? /dev/random not uniform? You've got to be kidding!

Careful, I didn't quite say that. The original poster said "he didn't
know of any analysis of SHA-1" and I said "it probably doesn't matter".
Neither of us are claiming that SHA-1 isn't uniform.

I personally doubt that you'll find any *specific* proofs that SHA-1 is
uniform because I believe that there are *general* proofs relating
security to uniformity, and then *specific* proofs of certain security
properities to SHA-1. The cryptography community generally has a much
higher standard of proof than the statistical community, and I would be
very very surprised indeed to find a *secure* algorithm that was *not*
statistically random. On the other hand, there are many uniformly random
sources that are not secure.
--s
@ @
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-oOO-(_)-OOo-=-=-=-=-=
C. Scott Ananian: cananian@lcs.mit.edu / Declare the Truth boldly and
Laboratory for Computer Science/Crypto / without hindrance.
Massachusetts Institute of Technology /META-PARRESIAS AKOLUTOS:Acts 28:31
-.-. .-.. .. ..-. ..-. --- .-. -.. ... -.-. --- - - .- -. .- -. .. .- -.
PGP key available via finger and from http://www.pdos.lcs.mit.edu/~cananian

Serbian PLO quiche AES Shoal Bay NORAD Albanian bomb Japan nuclear
radar AK-47 SEAL Team 6 spy Soviet Semtex Hager fissionable Qaddafi

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/

Next message: David Hinds: "(no subject)"
Previous message: Jordan Mendelson: "XTP: A better TCP than TCP"