[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CA+aY-u69iqCZMM1qmtdptk2u-sMHkd8cTvPpYrCEkHS6OuO9HA@mail.gmail.com>
Date: Sat, 5 Apr 2014 17:48:06 +0100
From: Peter Maxwell <peter@...icient.co.uk>
To: "discussions@...sword-hashing.net" <discussions@...sword-hashing.net>
Subject: Re: [PHC] Re: Mechanical tests
On 5 April 2014 16:41, Daniel Franke <dfoxfranke@...il.com> wrote:
> "Poul-Henning Kamp" <phk@....freebsd.dk> writes:
>
> > Dieharder looks for bits which do not carry one full bit of entropy,
> > whivh is important if you are in the market for random-looking bits.
> >
> > We are not, we are in the business of making sure that entropy is
> > not lost, and we do not care if an algorithm spits out 100 bits
> > with full entropy or 1000 bits each with only 1/10th bit of entropy.
>
> Some of the PHC candidates claim to be key derivation functions. In
> those cases we most assuredly do care about this. It would mean that the
> effective length of your derived key is only a 1/10 what you thought it
> was.
>
No, PHK's definition was, probably provably, correct (for password hash or
key derivation), assuming the *full* output is being used.
> POMELO's submission document doesn't use the words "key derivation
> function", but it does claim collision resistance. But if you can find a
> sequence of inputs which causes the outputs to fails the
> diehard_birthdays test, then obviously you've reduced its collision
> resistance to at least something less than 2**(outlen/2) (for outlen
> expressed in bits). In this case, inputs of 0, 1, 2, 3... did the job.
>
Collision resistance is different from "estimating" entropy in specific
bits, which is a different - albeit important for KDFs - kettle of fish.
Content of type "text/html" skipped
Powered by blists - more mailing lists