Finished off problem 3.

Author: wangjohn

6.857/ps1_problem3.log

@@ -1,4 +1,4 @@
-This is pdfTeX, Version 3.1415926-1.40.10 (TeX Live 2009/Debian) (format=pdflatex 2012.9.12)  18 FEB 2013 01:46
+This is pdfTeX, Version 3.1415926-1.40.10 (TeX Live 2009/Debian) (format=pdflatex 2012.9.12)  18 FEB 2013 10:28
 entering extended mode
  %&-line parsing enabled.
 **ps1_problem3.tex
@@ -586,7 +586,7 @@ Overfull \vbox (4.78334pt too high) has occurred while \output is active []
 Here is how much of TeX's memory you used:
  12914 strings out of 495061
  253040 string characters out of 1182621
- 329972 words of memory out of 3000000
+ 329973 words of memory out of 3000000
  15683 multiletter control sequences out of 15000+50000
  9394 words of font info for 37 fonts, out of 3000000 for 9000
  189 hyphenation exceptions out of 8191
@@ -600,7 +600,7 @@ s/type1/public/amsfonts/cm/cmr7.pfb></usr/share/texmf-texlive/fonts/type1/publi
 c/amsfonts/cm/cmr8.pfb></usr/share/texmf-texlive/fonts/type1/public/amsfonts/cm
 /cmsy10.pfb></usr/share/texmf-texlive/fonts/type1/public/amsfonts/cm/cmti10.pfb
 >
-Output written on ps1_problem3.pdf (3 pages, 117921 bytes).
+Output written on ps1_problem3.pdf (3 pages, 118390 bytes).
 PDF statistics:
  51 PDF objects out of 1000 (max. 8388607)
  0 named destinations out of 1000 (max. 500000)

6.857/ps1_problem3.pdf

@@ -81,11 +81,13 @@ \section{Problem 3.b}
 
 In particular, one could solve the CICO (constrained input constrained output) problem. It is well-known that Keccak can be solved with a system of equations of $(n_r + 1)b$ variables and $(n_r+1)b + n_r - r$ equations, where $n_r$ is the number of rounds. In fact, KeccakTools was written by the authors of Keccak to provide this system of equations. Since $n_r = 1$ in this case, the amount of computation required to solve this system is greatly reduced compared to a full application of Keccak.
 
-There are other weaknesses that result from a low number of rounds. Amplified boomerang and rectangle attacks, which construct chains of differentials over small numbers of rounds, are more easily used for Keccak with a small number of rounds. Higher order differentials, the authors claim, do not pose a significant threat because of the high average diffusion of Keccak. However, the diffusion in Keccak occurs in proportion to the number of rounds. Therefore, with a small number of rounds, the average diffusion of Keccak may be low enough to make it vulnerable to higher order differential attacks. 
+There are other weaknesses that result from a low number of rounds. Amplified boomerang and rectangle attacks, which construct chains of differentials over small numbers of rounds, are more easily used for Keccak with a small number of rounds. Higher order differentials, the authors claim, do not pose a significant threat because of the high average diffusion of Keccak. However, the diffusion in Keccak occurs in proportion to the number of rounds. Therefore, with a small number of rounds, the average diffusion of Keccak may be low enough to make it vulnerable to higher order differential attacks.
 
 Other attacks, such as impossible differentials, also work better with a lower number of rounds. The authors have provided empirical evidence that Keccak-$f$ permutations behave randomly. The authors dismissed these attacks because they suggested that the number of rounds of Keccak was sufficient to avoid low-weight differential trails.
 
 Therefore, most attacks are more potent when Keccak has a low number of rounds. The fact that Ben Bitdiddle's proposal for \emph{/dev/random} can be attacked on these grounds significantly weakens his proposal. For his proposal to work, the Keccak-$f$ permutations would have to have a high security margin even for a low number of rounds.
 
+The main reason Ben Bitdiddle's proposal has weaknesses is because after every $r$ bits of environmental input, it is plausible that the user could retrieve $r$ bits of output. Such fast turnaround prevents SHA-3 from being able to go through the requisite rounds of absorption and interleave the Keccak-$f$ permutations with new bits. It is possible for only a single round of Keccak-$f$ permutations to occur before output is obtained by the user. The authors never tried to prove many of the security properties of Keccak for such a low number of rounds.
+
 \end{document}