bram
Mon, 2 Aug 1999 13:59:11 -0700
On Sun, 1 Aug 1999, Sandy Harris wrote: > The question, then is how best to make it into > a two-stage design. Mainly, choose a block cipher > and modify the hashing to suit. No, block ciphers are weak against related-key attacks, which happen all over the place in the threat model on SRNGs. The only real problem with the algorithm Yarrow uses is that it doesn't rehash the internal state after every chunk of output, which is sort of like using a hash algorithm as an encryption algorithm. The way to fix that completely is to rehash the internal pool state after every output and use different hash algorithms for the internal hashing and the output derivation. Since RIPEMD-160 has a version with an output twice as long, it would make sense to use that for output derivation (a significant performance win, since it halves the amount of hashing which has to be done.) and SHA-1 for internal mixing. I think the 160 bit safety involved in both SHA-1 and RIPEMD-160 will continue to be excessive for many years to come, so there's no reason to worry about it being 'too small'. -Bram