On Sun, 1 Aug 1999, Sandy Harris wrote:
> The question, then is how best to make it into
> a two-stage design. Mainly, choose a block cipher
> and modify the hashing to suit.
No, block ciphers are weak against related-key attacks, which happen all
over the place in the threat model on SRNGs.
The only real problem with the algorithm Yarrow uses is that it doesn't
rehash the internal state after every chunk of output, which is sort of
like using a hash algorithm as an encryption algorithm. The way to fix
that completely is to rehash the internal pool state after every output
and use different hash algorithms for the internal hashing and the output
derivation. Since RIPEMD-160 has a version with an output twice as long,
it would make sense to use that for output derivation (a significant
performance win, since it halves the amount of hashing which has to be
done.) and SHA-1 for internal mixing.
I think the 160 bit safety involved in both SHA-1 and RIPEMD-160 will
continue to be excessive for many years to come, so there's no reason to
worry about it being 'too small'.
-Bram
