From: Matt Mackall <mpm@selenic.com>
To: linux@horizon.com
Cc: akpm@linux-foundation.org, bgilbert@cs.cmu.edu,
linux-kernel@vger.kernel.org, tytso@mit.edu
Subject: Re: [PATCH] random: fix folding
Date: Wed, 13 Jun 2007 01:08:55 -0500 [thread overview]
Message-ID: <20070613060855.GY11115@waste.org> (raw)
In-Reply-To: <20070613054521.18992.qmail@science.horizon.com>
On Wed, Jun 13, 2007 at 01:45:21AM -0400, linux@horizon.com wrote:
> > Folding is done to minimize the theoretical possibility of systematic
> > weakness in the particular bits of the SHA1 hash output. The result of
> > this bug is that 16 out of 80 bits are un-folded. Without a major new
> > vulnerability being found in SHA1, this is harmless, but still worth
> > fixing.
>
> Actually, even WITH a major new vulnerability found in SHA1, it's
> harmless. Sorry to put BUG in caps earlier; it actually doesn't warrant
> the sort of adjective I used. The purpose of the folding is to ensure that
> the feedback includes bits underivable from the output. Just outputting
> the first 80 bits and feeding back all 160 would achieve that effect;
> the folding is of pretty infinitesimal benefit.
Well we're actually not feeding back those 160 bits. But we are
hashing over the entire pool and feeding -that- back beforehand, which
is equivalent.
> Note that last five rounds have as major outputs e, d, c, b, and a,
> in that order. Thus, the first words are the "most hashed" and
> the ones most worth using as output... which happens naturally with
> no folding.
Indeed, though we actually want to keep random.c agnostic as to the
type of hash actually used.
> The folding is a submicroscopic bit of additional mixing.
> Frankly, the code size savings probably makes it worth deleting it.
> (That would also give you more flexibility to select the output/feedback
> ratio in whatever way you like.)
I'd tend to agree with you. Even if we did no folding at all in this
last stage, we already do plenty of feedback. For every 80 bits
extracted, we feed back at least.. 320.
--
Mathematics is the supreme nostalgia of our time.
next prev parent reply other threads:[~2007-06-13 6:09 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-06-11 7:53 [PATCH 2/3] [CRYPTO] Add optimized SHA-1 implementation for i486+ linux
2007-06-11 19:17 ` Benjamin Gilbert
2007-06-12 5:05 ` linux
2007-06-13 5:29 ` [PATCH] random: fix folding Matt Mackall
2007-06-13 5:45 ` linux
2007-06-13 6:08 ` Matt Mackall [this message]
2007-06-13 5:50 ` [PATCH 2/3] [CRYPTO] Add optimized SHA-1 implementation for i486+ Matt Mackall
2007-06-13 6:46 ` linux
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20070613060855.GY11115@waste.org \
--to=mpm@selenic.com \
--cc=akpm@linux-foundation.org \
--cc=bgilbert@cs.cmu.edu \
--cc=linux-kernel@vger.kernel.org \
--cc=linux@horizon.com \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox