From: "Jon Leonard" <jleonard@divcom.umop-ap.com>
Date: Wed, 12 Nov 1997 12:26:44 +0800
To: cypherpunks@cyberpass.net
Subject: Re: Secure Hashing for Entropy
In-Reply-To: <199711112344.PAA18932@sirius.infonex.com>
Message-ID: <9711120417.AA10746@divcom.umop-ap.com>
MIME-Version: 1.0
Content-Type: text



Monty Cantsin wrote:
> Often we have a source of entropy whose output we use as the input to
> a secure hash function.
> 
> Does it matter if the hashing function is secure?  I don't think so.
> All that really matters is that the function hashes evenly so that any
> input string is about as likely as any other input string to result in
> a particular hash.  Even if the hash function is weak and collisions
> can be found, if it is even the same level of entropy is still
> available.
> 
> Have I got this right?

In the case where:
1) Your entropy source is as good as you think it is
2) Your opponent knows nothing about the data from your entropy source
and
3) Your entropy mixes the way you expect it to.

this is indeed the case.

If you're not completely sure about the above, using a cryptographic
hash requires your hypothetical opponent to be able to reverse the hash
to exploit what they know, rather than simpler computations.

Since it seems that paranoia pays off in the design of cryptographic
software, I'd recommend always using a strong hash.

Jon Leonard