On Sun, May 18, 2008 at 05:24:51PM -0400, Thor Lancelot Simon wrote: > So you're comfortable with the adversary knowing, let's say, 511 of > the first 512 bits fed through SHA1?
*Sigh*. Thor, you clearly have no idea how SHA-1 works. In fact, I'd be comfortable with an adversary knowing the first megabyte of data fed through SHA1, as long as it was followed up by at least 256 bits which the adversary *didn't* know. Look, SHA-1 works by having a Very Complicated Mixing function that takes a state function, and mixes in the input in a one-way fashion, in chunks of 64 bytes at a time. The initial state looks like this: 67452301 efcdab89 98badcfe 10325476 c3d2e1f0 It doesn't look very random, but that's OK. You have to start *somewhere* --- and it's a public value. If you mix in a megabyte of known data, it is the equivalent of changing the initial state to something else. Effectively, it's another public starting value. As long as follow up the megabyte of known data with 256 bits of unknown data, you could feed another megabyte of known data, and the adversary would have no idea what the internal state of the SHA-1 hash function would look like. If this were not true, SHA-1's mixing function would be so throughly broken that all use of SHA-1 for digital signatures, certificates, etc., would be totally broken. So if you don't trust SHA-1 for use in PRNG's, then you shouldn't trust SHA-1 for *anything*. - Ted ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]