[146641] in cryptography@c2.net mail archive
Re: [Cryptography] FIPS, NIST and ITAR questions
daemon@ATHENA.MIT.EDU (John Kelsey)
Fri Sep 6 02:41:35 2013
X-Original-To: cryptography@metzdowd.com
In-Reply-To: <F6097361-4D92-4A4B-8963-8BFF8659F50F@lrw.com>
From: John Kelsey <crypto.jmk@gmail.com>
Date: Fri, 6 Sep 2013 01:40:54 -0400
To: Jerry Leichter <leichter@lrw.com>
Cc: =?utf-8?Q?Far=C3=A9?= <fahree@gmail.com>,
Cryptography Mailing List <cryptography@metzdowd.com>,
Richard Salz <rich.salz@gmail.com>, "radix42@gmail.com" <radix42@gmail.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
...
> Let H(X) = SHA-512(X) || SHA-512(X)
> where '||' is concatenation. Assuming SHA-512 is a cryptographically secure hash H trivially is as well. (Nothing in the definition of a cryptographic hash function says anything about minimality.) But H(X) is clearly not useful for producing a PRNG.
You won't get a prf or stream cipher or prng or block cipher just out of collision resistance--you need some kind of pseudorandomness assumption. We expect general purpose hash functions like Keccak to provide that, but it doesn't follow from the collision resistance assumption, for exactly the reason you gave there--it's possible to design collision-resistant functions that leak input or are predictable in some bits.
> I don't actually know if there exists a construction of a PRNG from a cryptographically secure hash function. (You can build a MAC, but even that's not trivial; people tried all kinds of things that failed until the HMAC construction was proven correct.)
The HMAC construction wouldn't give a PRF for your example of
h(x) = sha512(x) || sha512(x)
A single output would be trivial to distinguish from a 1024 bit random number.
> -- Jerry
--John
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
