John Kelsey <[EMAIL PROTECTED]> writes:
> >If you don't mind the limitation of 1k of internal state, then
> >Panama could be used directly; push in your salt and passphrase,
> >padding to the edge of the block with one followed by zeroes, then
> >do 32 blank pulls and start pulling out your key.
> A generalization of this idea is:
>
> S(K,len) is stream cipher output with key K and length of output len.
> hash(X) is hash function output of same size as K.
>
> Key = S(hash(passphrase),desired key length)
I don't think I see how this is a generalisation; what are you
identifying with "K" in my description? It's not the output from
Panama after hashing the input; that's "Key" itself. It can't be the
internal state before the blank pulls, that would make "hash(X)" a bad
hash function, and I think if it were the internal state after the
blank pulls then that would make "S(K,len)" a bad stream cipher. So
I'm not sure that using Panama directly fits the model you describe.
Of course, you could use Panama in the mode you describe, but I'm not
sure I see much advantage to that; you have to make K as long as
min(desired key length, passphrase length, internal state size) in
order not to waste entropy, and in any of these cases the second
hashing pass doesn't seem to do you much good; it just loses you half
a bit of entropy to collisions.
I've been trying to think about how you might use a primitive like
Panama in combination with real entropy sources to provide a
/dev/random type thing, but I've hit a problem in how to think about
it. For some appropriate value of N based on the computational
resources of your attacker, you have to take in at least N bits of
entropy before generating a single bit of output, or fall foul of an
iterative guessing attack. The problem I have is that once you've got
N bits of entropy, you really don't need any more! You could merrily
ignore all the rest of the entropy at your disposal, and (if your
components are secure) your attacker will never be any better off than
they were when you first started producing output.
Given this, what theory can you use to determine if you're using those
subsequent bits of entropy appropriately?
--
__
\/ o\ [EMAIL PROTECTED] *NOTE NEW EMAIL ADDRESS* \ /
/\__/ Paul Crowley http://www.cluefactory.org.uk/paul/ /~\
