[146571] in cryptography@c2.net mail archive
Re: [Cryptography] FIPS, NIST and ITAR questions
daemon@ATHENA.MIT.EDU (Bill Stewart)
Wed Sep 4 18:40:37 2013
X-Original-To: cryptography@metzdowd.com
Date: Tue, 03 Sep 2013 20:05:35 -0700
To: Cryptography Mailing List <cryptography@metzdowd.com>
From: Bill Stewart <bill.stewart@pobox.com>
In-Reply-To: <F6097361-4D92-4A4B-8963-8BFF8659F50F@lrw.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
At 03:06 PM 9/3/2013, Jerry Leichter wrote:
>On Sep 3, 2013, at 3:16 PM, Far=E9 <fahree@gmail.com> wrote:
> > Can't you trivially transform a hash into a PRNG, a PRNG into a
> > cypher, and vice versa?
>No.
>[...]
>I don't actually know if there exists a =
>construction of a PRNG from a cryptographically =
>secure hash function. (You can build a MAC, but =
>even that's not trivial; people tried all kinds =
>of things that failed until the HMAC construction was proven correct.)
PRNG is not necessarily a cryptographically =
strong term. But isn't counter-mode hash likely to be ok?
Counter =3D seed;
while (counter++) Output(Hash(counter));
// or as somebody said Output(Hash(seed||counter||seed));
// and you probably need to pad =
it to be long enough for the hash to be happy.
Obviously if somebody discovers the seed the whole thing is toast.
And you can turn the PRNG into a stream cypher by =
doing plaintext[x] xor PRNG[x], with the usual limitations.
None of that has any bearing on ITAR, of course.
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
