At 7:10 PM -0500 1/15/02, Adam Fields wrote: >"Arnold G. Reinhold" says: >> This result would seem to raise questions about SHA1 and MD5 as much >> as about the quality of /dev/random and /dev/urandom. Naively, it >> should be difficult to create input to these hash functions that >> cause their output to fail any statistical test. > >I would think that this would only be relevant if there was a >correlation between inputs and outputs. Lack of entropic skew across >the bits of the output shouldn't give any clues to the specific input, >unless the outputs are clumping across the output >space. Theoretically, the hash functions ought to be able to output >every bit string in the output space, so you'd realistically expect a >fair number of runs. > >You're right - it should be difficult to create inputs to the hash >functions that cause their output to fail a distribution test, but >doing so casts doubt on the randomness of the inputs, not the >distribution space of the hash. ...
Quite the opposite. The only thing you should be able to determine from the output of a good hash is whether two input strings are identical. You pretty much acknowledge that in your first paragraph. You shouldn't be able to tell the difference between a random string and the sequence n || n+1 || n+2 || ... . Even a mediocre hash should make it impossible to distinguish between a good random input string and a not-so-good one. That is one of the criticisms of the Pentium RNG: the whitening hardware prevents one from analyzing the underlying randomness of the generator hardware. Any statistical irregularities in the output of a hash like SHA1 or MD5 are far more like to be an artifact of the hash algorithm rather than some regularity in the input. Arnold Reinhold --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
