Other Directory Sites: SeekWonder | Directory Owners Forum
The following archive was created by hippie-mail 7.98617-22 on Fri Aug 21 1998 - 17:20:37 ADT
Cicero (cicero@redneck.efga.org)
18 Jul 1998 20:58:26 -0000
John Kelsey wrote:
>The original proposal was:
>
>a. Hash buffer full of data, yielding key K.
>b. Encrypt buffer in CBC-mode, under key K.
>
>Imagine a block of data, X, and a 128-bit block cipher key
>generated by hashing that block of data. We form K =
>hash(X), and then form X' = E_K(X). The question is, are
>all X' values possible results from some X?
>
>...
>
>Let's look at an extreme case of this: X is one bit, K is
>the hash of that one bit using SHA1, and the low-order bit
>of the resulting hash is used to encrypt X by being XORed
>into it. In this case, there are two possibilities: If
>hash(0) = hash(1) in that low bit, then we don't lose any
>entropy, since we're just XORing in a constant. If
>hash(0)!=hash(1), though, then we always get the same value
>for X', regardless of X. (Imagine hash(0) = 0, hash(1) = 1.
>X' = 0 for all X. Similarly, hash(0)=1, hash(1)=0 leads to
>X' = 1 for all X.)
I have not had time to work through all the details of your analysis,
but I look forward to doing that. I can, though, make a comment based
on the above (which I think that I do understand). I believe that you
understood me to be making an assertion about the map:
X --> X'= E_K(X)
which you correctly point out is not invertible, and therefore not
entropy preserving.
I had said:
>>If I were to retain the value of the hash, I could later decrypt the
>>CBC-encrypted data, returning it to its original state. This
>>invertibility proves conservation of entropy.
When I used the word "retain", I meant to imply the map:
X --> (X',hash(X))
You are correct in asserting that my extra condition is needed.
>Am I missing something?
No, I was not clear enough.
Cicero
The following archive was created by hippie-mail 7.98617-22 on Fri Aug 21 1998 - 17:20:37 ADT