Re: [Cfrg] On using ROs for analyzing randomness extraction functions

["D. J. Bernstein" <djb at cr.yp.to>]

John Wilkinson writes:
> H(m) := m*x^256 mod x^256 + x^10 + x^5 + x^2 + 1

Compressibility alert! I'm willing to bet quite a lot of money that you
didn't produce this polynomial by flipping 256 coins and then testing
irreducibility. Here's a replacement for 10,5,2,1: the nonzero bits of
80732611323681528892253724266645620659672229865344711926625102802953711697391.

> Such a construction would seem to be efficient and practical, and  
> avoids any reliance on random oracles, so, something must be wrong  
> with it. :)

It's certainly much better than nothing. But it doesn't guarantee
security: among other problems, it could allow related-key attacks.
That's why we use things like SHA-256.

---D. J. Bernstein, Professor, Mathematics, Statistics,
and Computer Science, University of Illinois at Chicago

_______________________________________________
Cfrg mailing list
Cfrg at ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg