On Tue, Sep 3, 2013 at 6:06 PM, Jerry Leichter <leich...@lrw.com> wrote:
> On Sep 3, 2013, at 3:16 PM, Faré <fah...@gmail.com> wrote:
>> Can't you trivially transform a hash into a PRNG, a PRNG into a
>> cypher, and vice versa?
> No.

> Let H(X) = SHA-512(X) || SHA-512(X)
> where '||' is concatenation.  Assuming SHA-512 is a cryptographically secure 
> hash H trivially is as well.  (Nothing in the definition of a cryptographic 
> hash function says anything about minimality.)  But H(X) is clearly not 
> useful for producing a PRNG.
Just because it's trivial to produce bogus crypto doesn't mean it's
non-trivial to produce good crypto, given a few universal recipes.
IIUC, there are already good known ways to go from stream cipher to
PRNG, or the other way around, and from a hash to a PRNG, and the
other way around.

e.g HMAC-DRBG goes hash to prng, the usual construct goes prng to
stream cipher, and there's quite possibly a secure transform from
cipher to hash, though I don't think the topic has been studied

All that to say, if digests are not subject to export, then it's easy
to export crypto. Or conversely, if crypto is controlled, then it's
easy for the thugs with badges to claim that digests are controlled,
if they hate you.

These techniques could also be used to produce cryptosystems that fit
in very small source code and/or are the result of an automated
search, so they may in practice defeat export restrictions and/or
patent claims: just get the user to download it, libdvdcss style.

That said, the missing piece currently seems to be good public key encryption.

—♯ƒ • François-René ÐVB Rideau •Reflection&Cybernethics• http://fare.tunes.org
A child of five would understand this. Send someone to fetch a child of five.
        — Groucho Marx
The cryptography mailing list

Reply via email to