On Sun, May 18, 2008 at 05:24:51PM -0400, Thor Lancelot Simon wrote:
> So you're comfortable with the adversary knowing, let's say, 511 of
> the first 512 bits fed through SHA1?

*Sigh*.  

Thor, you clearly have no idea how SHA-1 works.  In fact, I'd be
comfortable with an adversary knowing the first megabyte of data fed
through SHA1, as long as it was followed up by at least 256 bits which
the adversary *didn't* know.

Look, SHA-1 works by having a Very Complicated Mixing function that
takes a state function, and mixes in the input in a one-way fashion,
in chunks of 64 bytes at a time.  The initial state looks like this:

67452301 efcdab89 98badcfe 10325476 c3d2e1f0

It doesn't look very random, but that's OK.  You have to start
*somewhere* --- and it's a public value.  If you mix in a megabyte of
known data, it is the equivalent of changing the initial state to
something else.  Effectively, it's another public starting value.  

As long as follow up the megabyte of known data with 256 bits of
unknown data, you could feed another megabyte of known data, and the
adversary would have no idea what the internal state of the SHA-1 hash
function would look like.  If this were not true, SHA-1's mixing
function would be so throughly broken that all use of SHA-1 for
digital signatures, certificates, etc., would be totally broken.

So if you don't trust SHA-1 for use in PRNG's, then you shouldn't
trust SHA-1 for *anything*.

                                                - Ted
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev@openssl.org
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to