[146549] in cryptography@c2.net mail archive
Re: [Cryptography] FIPS, NIST and ITAR questions
daemon@ATHENA.MIT.EDU (Jerry Leichter)
Tue Sep 3 19:09:35 2013
X-Original-To: cryptography@metzdowd.com
From: Jerry Leichter <leichter@lrw.com>
In-Reply-To: <CAN7nBXf-Q0UTY41PZ37L=LyA-W=5KaDkwBQP7EQ7U=tc7Yp9nw@mail.gmail.com>
Date: Tue, 3 Sep 2013 18:06:42 -0400
To: =?iso-8859-1?Q?Far=E9?= <fahree@gmail.com>
Cc: Cryptography Mailing List <cryptography@metzdowd.com>, radix42@gmail.com,
Richard Salz <rich.salz@gmail.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
On Sep 3, 2013, at 3:16 PM, Far=E9 <fahree@gmail.com> wrote:
> Can't you trivially transform a hash into a PRNG, a PRNG into a
> cypher, and vice versa?
No.
> hash->PRNG: append blocks that are digest (seed ++ counter ++ seed)
Let H(X) =3D SHA-512(X) || SHA-512(X)
where '||' is concatenation. Assuming SHA-512 is a cryptographically secur=
e hash H trivially is as well. (Nothing in the definition of a cryptograph=
ic hash function says anything about minimality.) But H(X) is clearly not =
useful for producing a PRNG.
If you think this is "obviously" wrong, consider instead:
H1(X) =3D SHA-512(X) || SHA-512(SHA-512(X))
Could you determine, just from black-box access to H1, that it's equally ba=
d as a PRNG? (You could certainly do it with about 2^256 calls to H1 with =
distinct inputs - by then you have a .5 chance of a duplicated top half of =
the output, almost certainly with a distinct bottom half. But that's a pre=
tty serious bit of testing....)
I don't actually know if there exists a construction of a PRNG from a crypt=
ographically secure hash function. (You can build a MAC, but even that's n=
ot trivial; people tried all kinds of things that failed until the HMAC con=
struction was proven correct.)
-- Jerry
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
