From: Jamie Lokier <jamie@shareable.org>
To: Val Henson <val@nmt.edu>
Cc: David Wagner <daw@mozart.cs.berkeley.edu>, linux-kernel@vger.kernel.org
Subject: Re: [RFC][PATCH] Make cryptoapi non-optional?
Date: Fri, 15 Aug 2003 12:47:21 +0100 [thread overview]
Message-ID: <20030815114721.GA15911@mail.jlokier.co.uk> (raw)
In-Reply-To: <20030815002537.GE5333@speare5-1-14>
Val Henson wrote:
> > I still do not see why either F or G are any more secure than SHA.
>
> They aren't, in the sense of cryptographically signing a document.
> They do reveal less information about the input than SHA-1.
Not really. There are two ways in which these functions can reveal
something about the input:
1. Non-random input. An 80 bit signature is virtually as good as a
160 bit signature at confirming an attacker's hypothesis about
the input being among a set of known inputs. It's not like the
kernel is deliberately trying to induce collisions, which is the
usual reason for wanting more signature bits.
2. Random input, i.e. plenty of real entropy. If there is a weakness
in the hash which NSA can use to determine the bit state, then
it's true that F or G _might_ reveal half of the information that
SHA would, if the weakness is also present in F and G. Or it
might reveal much less (Ted's hypothesis for F), or more (see 1).
But! When someone reads x bytes from /dev/urandom, twice as many
hash transforms are performed with F or G than with SHA.
So, if someone reads x bytes, the amount of information revealed
through weakness could be less or more with F or G than with SHA.
> > Unless we're postulating that SHA is deliberately weak, so that the
> > designers have a back door, that is not present in F or G.
>
> That's exactly what Ted described as his reason for doing the folding
> in the first place.
At least that reason makes sense :)
> Matt Mackall simply pointed out that a little bit of information
> theory will show you that throwing away half the output is more
> effective.
No, that depends on the nature of the hypothetical back door.
They could have engineered a back door which is completely present
when you throw the second half of the bits away. Or any half of the
bits. Or when you fold the bits together. Or which reveals some but
less information when you do any of these.
In other words, you can't protect against a deliberate back door in
SHA, you can only try to scramble the output in some way that NSA
didn't prepare for. And then you cannot be sure you succeeded.
-- Jamie
next prev parent reply other threads:[~2003-08-15 11:47 UTC|newest]
Thread overview: 120+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-08-09 7:44 [RFC][PATCH] Make cryptoapi non-optional? Matt Mackall
2003-08-09 8:04 ` David S. Miller
2003-08-09 14:05 ` Matt Mackall
2003-08-09 17:39 ` David S. Miller
2003-08-09 19:46 ` Matt Mackall
2003-08-09 20:17 ` David S. Miller
2003-08-10 8:15 ` Matt Mackall
2003-08-10 8:32 ` virt_to_offset() (Re: [RFC][PATCH] Make cryptoapi non-optional?) YOSHIFUJI Hideaki / 吉藤英明
2003-08-10 8:30 ` David S. Miller
2003-08-10 9:02 ` virt_to_offset() YOSHIFUJI Hideaki / 吉藤英明
2003-08-11 18:21 ` virt_to_offset() David Mosberger
2003-08-12 2:46 ` virt_to_offset() David S. Miller
2003-08-10 9:05 ` virt_to_offset() (Re: [RFC][PATCH] Make cryptoapi non-optional?) Matt Mackall
2003-08-10 9:04 ` David S. Miller
2003-08-10 11:00 ` [PATCH 1/9] introduce virt_to_pagoff() YOSHIFUJI Hideaki / 吉藤英明
2003-08-10 11:00 ` [PATCH 2/9] convert crypto to virt_to_pageoff() YOSHIFUJI Hideaki / 吉藤英明
2003-08-10 11:05 ` [PATCH 3/9] convert net " YOSHIFUJI Hideaki / 吉藤英明
2003-08-10 11:07 ` [PATCH 4/9] convert drivers/block " YOSHIFUJI Hideaki / 吉藤英明
2003-08-10 11:09 ` [PATCH 5/9] convert drivers/ide " YOSHIFUJI Hideaki / 吉藤英明
2003-08-10 11:10 ` [PATCH 6/9] convert drivers/net " YOSHIFUJI Hideaki / 吉藤英明
2003-08-10 11:10 ` [PATCH 7/9] convert drivers/scsi " YOSHIFUJI Hideaki / 吉藤英明
2003-08-10 11:31 ` Christoph Hellwig
2003-08-10 11:51 ` David S. Miller
2003-08-10 12:03 ` YOSHIFUJI Hideaki / 吉藤英明
2003-08-10 14:54 ` Christoph Hellwig
2003-08-10 14:51 ` Christoph Hellwig
2003-08-10 13:54 ` Russell King
2003-08-10 13:55 ` Russell King
2003-08-10 14:55 ` Christoph Hellwig
2003-08-11 5:21 ` David S. Miller
2003-08-10 11:10 ` [PATCH 8/9] convert drivers/usb " YOSHIFUJI Hideaki / 吉藤英明
2003-08-10 11:10 ` [PATCH 9/9] convert fs/jbd " YOSHIFUJI Hideaki / 吉藤英明
2003-08-11 2:15 ` [RFC][PATCH] Make cryptoapi non-optional? Jamie Lokier
2003-08-11 2:38 ` Matt Mackall
2003-08-11 4:54 ` David S. Miller
2003-08-11 5:17 ` Jamie Lokier
2003-08-13 5:01 ` [Numbers][PATCH] " Matt Mackall
2003-08-10 14:46 ` [RFC][PATCH] " James Morris
2003-08-09 14:33 ` Matt Mackall
2003-08-09 17:13 ` Jamie Lokier
2003-08-09 17:33 ` Matt Mackall
2003-08-10 13:18 ` James Morris
2003-08-10 17:45 ` Matt Mackall
2003-08-11 2:09 ` Jamie Lokier
2003-08-11 2:35 ` Matt Mackall
2003-08-11 4:59 ` Jamie Lokier
2003-08-11 5:04 ` Matt Mackall
2003-08-11 5:20 ` Jamie Lokier
2003-08-11 5:54 ` Matt Mackall
2003-08-11 6:24 ` Jamie Lokier
2003-08-11 4:58 ` David Wagner
2003-08-11 5:36 ` Jamie Lokier
2003-08-11 19:21 ` David Wagner
2003-08-13 19:37 ` Jamie Lokier
2003-08-13 3:52 ` Theodore Ts'o
2003-08-13 15:44 ` i810_rng.o on various Dell models Jim Carter
2003-08-13 16:15 ` Jeff Garzik
2003-08-13 18:43 ` Jamie Lokier
2003-08-13 18:36 ` [RFC][PATCH] Make cryptoapi non-optional? Jamie Lokier
2003-08-15 0:16 ` Network Card Entropy? was: " Mike Fedyk
2003-08-15 0:22 ` Robert Love
2003-08-13 3:20 ` Theodore Ts'o
2003-08-13 4:06 ` Matt Mackall
2003-08-14 16:53 ` Val Henson
2003-08-14 19:40 ` David Wagner
2003-08-14 20:07 ` Chris Friesen
2003-08-14 21:36 ` Jamie Lokier
2003-08-15 0:25 ` Val Henson
2003-08-15 11:47 ` Jamie Lokier [this message]
2003-08-15 0:17 ` Val Henson
2003-08-15 1:45 ` David Wagner
2003-08-15 2:21 ` Matt Mackall
2003-08-15 7:30 ` Andries Brouwer
2003-08-15 7:40 ` David S. Miller
2003-08-15 7:55 ` Andries Brouwer
2003-08-15 8:06 ` Måns Rullgård
2003-08-15 8:11 ` Nick Piggin
2003-08-15 15:11 ` Matt Mackall
2003-08-15 22:16 ` Jamie Lokier
2003-08-15 20:22 ` Val Henson
2003-08-16 6:27 ` David Wagner
2003-08-18 4:25 ` Val Henson
2003-08-15 8:09 ` Nick Piggin
2003-08-15 15:03 ` Matt Mackall
2003-08-15 17:04 ` Andries Brouwer
2003-08-15 22:05 ` Jamie Lokier
2003-08-15 22:02 ` Jamie Lokier
2003-08-15 12:48 ` Jamie Lokier
2003-08-15 22:34 ` Theodore Ts'o
2003-08-15 22:12 ` Theodore Ts'o
2003-08-15 23:35 ` James Morris
2003-08-16 15:51 ` Matt Mackall
2003-08-17 14:37 ` James Morris
2003-08-17 15:30 ` Matt Mackall
2003-08-15 23:55 ` Matt Mackall
2003-08-16 0:05 ` Andrew Morton
2003-08-16 0:58 ` Jamie Lokier
2003-08-16 4:57 ` Matt Mackall
2003-08-16 4:38 ` Matt Mackall
2003-08-16 5:03 ` Andrew Morton
2003-08-16 5:39 ` Matt Mackall
2003-08-18 6:43 ` Andreas Dilger
2003-08-18 6:55 ` David Lang
2003-08-18 11:59 ` Jamie Lokier
2003-08-18 12:11 ` Måns Rullgård
2003-08-18 13:33 ` Jamie Lokier
2003-08-18 17:03 ` David Lang
2003-08-18 17:51 ` Jamie Lokier
2003-08-22 4:28 ` David Wagner
2003-08-25 4:29 ` Jamie Lokier
2003-08-18 15:20 ` Matt Mackall
2003-08-18 3:23 ` Theodore Ts'o
2003-08-18 15:46 ` Matt Mackall
2003-08-10 2:07 ` Robert Love
2003-08-10 3:14 ` Matt Mackall
2003-08-10 3:49 ` David S. Miller
2003-08-10 4:01 ` Robert Love
2003-08-10 4:07 ` Robert Love
2003-08-16 20:40 Adam J. Richter
2003-08-17 4:28 ` Matt Mackall
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20030815114721.GA15911@mail.jlokier.co.uk \
--to=jamie@shareable.org \
--cc=daw@mozart.cs.berkeley.edu \
--cc=linux-kernel@vger.kernel.org \
--cc=val@nmt.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).