On Tue, Sep 3, 2013 at 6:06 PM, Jerry Leichter <leich...@lrw.com> wrote: > On Sep 3, 2013, at 3:16 PM, Faré <fah...@gmail.com> wrote: >> Can't you trivially transform a hash into a PRNG, a PRNG into a >> cypher, and vice versa? > No. >

> Let H(X) = SHA-512(X) || SHA-512(X) > where '||' is concatenation. Assuming SHA-512 is a cryptographically secure > hash H trivially is as well. (Nothing in the definition of a cryptographic > hash function says anything about minimality.) But H(X) is clearly not > useful for producing a PRNG. > Just because it's trivial to produce bogus crypto doesn't mean it's non-trivial to produce good crypto, given a few universal recipes. IIUC, there are already good known ways to go from stream cipher to PRNG, or the other way around, and from a hash to a PRNG, and the other way around. e.g HMAC-DRBG goes hash to prng, the usual construct goes prng to stream cipher, and there's quite possibly a secure transform from cipher to hash, though I don't think the topic has been studied enough. All that to say, if digests are not subject to export, then it's easy to export crypto. Or conversely, if crypto is controlled, then it's easy for the thugs with badges to claim that digests are controlled, if they hate you. These techniques could also be used to produce cryptosystems that fit in very small source code and/or are the result of an automated search, so they may in practice defeat export restrictions and/or patent claims: just get the user to download it, libdvdcss style. That said, the missing piece currently seems to be good public key encryption. —♯ƒ • François-René ÐVB Rideau •Reflection&Cybernethics• http://fare.tunes.org A child of five would understand this. Send someone to fetch a child of five. — Groucho Marx _______________________________________________ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography