lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 05 Apr 2014 12:53:29 -0400
From: Daniel Franke <dfoxfranke@...il.com>
To: "Poul-Henning Kamp" <phk@....freebsd.dk>
Cc: discussions@...sword-hashing.net
Subject: Re: Mechanical tests

"Poul-Henning Kamp" <phk@....freebsd.dk> writes:

> In message <87k3b3okah.fsf@...fjaw.dfranke.us>, Daniel Franke writes:
>>"Poul-Henning Kamp" <phk@....freebsd.dk> writes:
>>
>>> Dieharder looks for bits which do not carry one full bit of entropy,
>>> whivh is important if you are in the market for random-looking bits.
>>>
>>> We are not, we are in the business of making sure that entropy is
>>> not lost, and we do not care if an algorithm spits out 100 bits
>>> with full entropy or 1000 bits each with only 1/10th bit of entropy.
>>
>>Some of the PHC candidates claim to be key derivation functions. In
>>those cases we most assuredly do care about this. It would mean that the
>>effective length of your derived key is only a 1/10 what you thought it
>>was.
>
> No, that depends on the length of the number of bits output, times
> the amount of entropy in each bit.

I was specifically quoting your example in which the output length is
1000 bits and each "bit" carries 1/10 bit of entropy (which I take to
mean that each bit is i.i.d. with Pr[b = 0] = 0.0129869).

Let me try another explanation. Let F be a random oracle. Let G be a
procedure which queries F with its input, takes 128 bits of F's output,
and then returns those bits interleaved with 0s. So, G's output is 256
bits long, but only has 128 bits of entropy. This makes G fine and dandy
as a password hash, because for a password hash 128 bits is plenty. But
as a KDF, it's a disaster, because users might split its 256-bit output
into two 128-bit keys, thinking that those keys are giving them a
128-bit security level, when actually they're only getting a 64-bit
security level. G is also a disaster as a collision-resistant hash
function, providing only 64 bits of collision resistance.

Powered by blists - more mailing lists