Re: One real life secure random generator

David Wagner (daw@CS.Berkeley.EDU)
Tue, 14 Jul 1998 13:24:20 -0700 (PDT)

• Next message: David Wagner: "Re: One real life secure random generator"
• Previous message: Bill Frantz: "Re: One real life secure random generator"
• Maybe in reply to: Bill Frantz: "One real life secure random generator"
• Next in thread: David Wagner: "Re: One real life secure random generator"

In article <35A97FB6.3EAAAC13@cs.umass.edu> you write:
> Bill Frantz wrote:
> >>> When we generate a random number, we compute enough MD5(entire pool || 8
> >>> byte sequence counter) to meet fill the requested size. The 8 byte
> >>> sequence counter is incremented for each new calculation.
>
> Bram writes:
> > Unfortunately that can result in hashing a large number of similar
> > bitstrings, making those available is an attack most hash functions aren't
> > really meant to withstand.
>
> Pardon? I assume we are discussing cryptographic hash functions whose
> designs are public. An attacker can certainly choose a large set of inputs,
> hash them all, and examine the resulting hash values. In what sense is this
> "an attack most hash functions aren't really meant to withstand"?

I think it would help to state the required security property:
  It is infeasible to distinguish the keystream sequence Z_1,..,Z_n
  where Z_j = MD5(secret || j) from a sequence of 128n truly random
  bits with non-negligible probability.
This is just saying that MD5(secret || counter) is a secure stream
cipher.

I claim that this usage of MD5 has not seen much analysis.

In particular, most of the analysis of MD5 seems to be devoted either
to its collision-resistance or to its strength as a one-way function.
Here a one-way function H is one where
  Given Y = H(X) for some unknown X, finding some X' with H(X') = Y is
  infeasible.

Note that neither property is enough on its own to make this stream
cipher mode secure. For instance, define the function F as
  F(x) = H(x) || 16 bytes of zeros,
where H is e.g. SHA. It is clear that F is collision-resistant and
one-way if H is, yet F(secret || counter) makes a terrible stream cipher.
This is just a silly counter-example, but I think the idea is quite
sound.

• Next message: David Wagner: "Re: One real life secure random generator"
• Previous message: Bill Frantz: "Re: One real life secure random generator"
• Maybe in reply to: Bill Frantz: "One real life secure random generator"
• Next in thread: David Wagner: "Re: One real life secure random generator"