0

Reference Document: https://eprint.iacr.org/2016/027.pdf

According to appendix D section 4 definition 27

each vertex in V has predecessors sampled independently and uniformly at random from the set U

It appears from the pseudo-code in section 3.1 step 2b, and the reference code given on GitHub hash_state_mix(), that this has been implemented by the authors as some form of squeezing bits out of the hash function; however my question is could it just as easily have been done with Mersenne Twister or is there another reason why the hash is required?

rmalayter
  • 2,297
  • 17
  • 24
Gregor y
  • 191
  • 5

1 Answers1

2

If you use the Mersenne twister or any other non-cryptographic PRNG, then it is conceivable that an adversary could exploit some pattern in the Mersenne twister's outputs to find a shortcut to reversing the resulting hash. Cryptographic PRNGs are designed so that despite decades of efforts, cryptanalysts have been unable to find any patterns in their outputs that are even detectable, let alone exploitable in context.

Don't use the Mersenne twister! It's also bad as a non-cryptographic PRNG because it is expensive to initialize and requires a multi-kilobyte state, so it discourages parallelism and reproducible subtrees of computations.

Squeamish Ossifrage
  • 49,816
  • 3
  • 122
  • 230