David Wagner said, > The problem can really be divided into two parts: > 1. Is our entropy crunching algorithm secure when used with > a random oracle instead of SHA1? > 2. Does SHA1 behave enough like a random oracle that the answer > to question 1. is in any way relevant to the real world? > I suspect that question 1. is not hard to answer in a formal, > rigorous, provable way. It is only question 2. that is hard > to answer. It is absolutely true that we have no proof for > question 2. > > That said, we should keep in mind that none of our > cryptographic algorithms (even 3DES) come with a proof of > security. All we have to rest on is years of unsuccessful > cryptanalysis.
But there's a big difference: the random oracle `assumption` is clearly not valid for SHA-1 (or any other specific hash function). Since this is trivial, it is less clear what is the cryptoanalytical problem that SHA1 was tested for. SHA-1 (and similar functions) were tested mainly for collision-resistance (and also for one-wayness). But clearly these properties are not sufficient for the proposed use (to extract entropy). So the question is again: what is an assumption which we can test SHA-1 against, and which is sufficient to make the `entropy crunching alg` secure? I found that when trying to explain and define hash functions and their properties, I didn't find a satisfactory definition for the `randomness` properties. Best Regards, Amir Herzberg See http://amir.herzberg.name/book.html for lectures and draft-chapters from book-in-progress, `Introduction to Cryptography, Secure Communication and Commerce`; feedback appreciated! --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]