[Cryptography] FIPS, NIST and ITAR questions

John Kelsey crypto.jmk at gmail.com
Fri Sep 6 01:40:54 EDT 2013

> Let H(X) = SHA-512(X) || SHA-512(X)
> where '||' is concatenation.  Assuming SHA-512 is a cryptographically secure hash H trivially is as well.  (Nothing in the definition of a cryptographic hash function says anything about minimality.)  But H(X) is clearly not useful for producing a PRNG.

You won't get a prf or stream cipher or prng or block cipher just out of collision resistance--you need some kind of pseudorandomness assumption.  We expect general purpose hash functions like Keccak to provide that, but it doesn't follow from the collision resistance assumption, for exactly the reason you gave there--it's possible to design collision-resistant functions that leak input or are predictable in some bits. 
> I don't actually know if there exists a construction of a PRNG from a cryptographically secure hash function.  (You can build a MAC, but even that's not trivial; people tried all kinds of things that failed until the HMAC construction was proven correct.)

The HMAC construction wouldn't give a PRF for your example of 

h(x) = sha512(x) || sha512(x)

A single output would be trivial to distinguish from a 1024 bit random number.  

>                                                        -- Jerry


More information about the cryptography mailing list