[Cryptography] FIPS, NIST and ITAR questions
John Kelsey
crypto.jmk at gmail.com
Fri Sep 6 01:26:54 EDT 2013
Sent from my iPad
On Sep 3, 2013, at 6:06 PM, Jerry Leichter <leichter at lrw.com> wrote:
> On Sep 3, 2013, at 3:16 PM, Faré <fahree at gmail.com> wrote:
>> Can't you trivially transform a hash into a PRNG, a PRNG into a
>> cypher, and vice versa?
> No.
>
>> hash->PRNG: append blocks that are digest (seed ++ counter ++ seed)
> Let H(X) = SHA-512(X) || SHA-512(X)
> where '||' is concatenation. Assuming SHA-512 is a cryptographically secure hash H trivially is as well. (Nothing in the definition of a cryptographic hash function says anything about minimality.) But H(X) is clearly not useful for producing a PRNG.
>
> If you think this is "obviously" wrong, consider instead:
>
> H1(X) = SHA-512(X) || SHA-512(SHA-512(X))
>
> Could you determine, just from black-box access to H1, that it's equally bad as a PRNG? (You could certainly do it with about 2^256 calls to H1 with distinct inputs - by then you have a .5 chance of a duplicated top half of the output, almost certainly with a distinct bottom half. But that's a pretty serious bit of testing....)
>
> I don't actually know if there exists a construction of a PRNG from a cryptographically secure hash function. (You can build a MAC, but even that's not trivial; people tried all kinds of things that failed until the HMAC construction was proven correct.)
> -- Jerry
>
> _______________________________________________
> The cryptography mailing list
> cryptography at metzdowd.com
> http://www.metzdowd.com/mailman/listinfo/cryptography
More information about the cryptography
mailing list