2

Let's suppose I want to generate a 2048-bit key from a hash function with security up to 512-bits (such as Blake2b).

I take 4 high-resolution photos, hash them with a hash output length of 512-bits and concatenate all the hashes generating a 256-byte (2048-bits) key.

Will this scheme safely generate a key with real security of 2048-bits?

phantomcraft
  • 877
  • 4
  • 13

1 Answers1

2

Using a hash function is a common way to extract entropy from non-uniform sources. Yes, the Blake2b cannot have more than 512-bit security, therefore you need to concatenate outputs of different inputs to achieve more bits.

Concatenation all of the inputs (call $m$) into one big good entropy source then getting 2048-bit can be achieved by using the hash function in CTR mode

$$key = Blake2b\big(m\mathbin\|01\big)\mathbin\| Blake2b\big(m\mathbin\|02\big) \mathbin\| Blake2b\big(m\mathbin\|03\big)\mathbin\| Blake2b\big(m\mathbin\|04\big)$$

is the common way to get desired output, or directly use XOF of SHAKE256.

There is also; chaining; \begin{align} h_0 &= \operatorname{Blake2b}(image_0)\\ h_i &= \operatorname{Blake2b}(image_i\mathbin\| h_{i-1})) \end{align}

Here, you need to guarantee that the images are different. If not, knowing the first image will guarantee that the attackers will get the rest. So, the security is reduced. Stick the CTR mode or use XOF.

While 256-bit is enough for all to encrypt even against quantum adversaries, make sure that your input files carry enough entropy from the sources that they are taken. If the image repository is highly limited or the images have few variations, you may end up with bad entropy.

kelalaka
  • 48,443
  • 11
  • 116
  • 196
  • This idea always bring the key selection from the movie Johnny Mnemonic – kelalaka Apr 10 '22 at 10:48
  • I just needed to know an "yes" or "not", thank you. There is some stream ciphers that don't have a key schedule algorithm such as ISAAC and Pike (it seems Pike doesn't deliver full randomness in output using a bad key), this scheme could be useful to fill their internal states. Also, SEAL 3.0 has a 32768-bits internal state that should be filled with a hash function in counter mode as the author recommends, instead of using a CTR mode, using different key chunks per each hash function invocations could lead to a better security (32.768-bits of security at 4cpb is something wonderful to me). – phantomcraft Apr 10 '22 at 11:11
  • 1
    I wrote a simple master key generator in bash based on your idea of chaining the random inputs: https://github.com/phantomcraft/mkeygen – phantomcraft Apr 10 '22 at 18:01
  • This answer is correct, but it's misleading and being misinterpreted. Hash chaining is only secure here because each step uses a different image. If the same image is used, then output like $h_0||h_1 = H(\mathit{image} || H(\mathit{image}))$ with an $n$-bit hash function $H$ can be reconstructed from the first $n$ bits. Using all the inputs to derive all the output is a lot more robust. Concatenating the inputs as proposed in the question is better. – Gilles 'SO- stop being evil' Oct 14 '22 at 20:40
  • @Gilles'SO-stopbeingevil' thanks, I'll update a little later. – kelalaka Oct 14 '22 at 20:42
  • Wow, I was really engaged in generating keys using concatenation or CTR mode for a unique photo, I couldn't have idea on what wrong I was. Thanks! – phantomcraft Oct 14 '22 at 22:54