Sent from my iPad

On Sep 3, 2013, at 6:06 PM, Jerry Leichter <leich...@lrw.com> wrote: > On Sep 3, 2013, at 3:16 PM, Faré <fah...@gmail.com> wrote: >> Can't you trivially transform a hash into a PRNG, a PRNG into a >> cypher, and vice versa? > No. > >> hash->PRNG: append blocks that are digest (seed ++ counter ++ seed) > Let H(X) = SHA-512(X) || SHA-512(X) > where '||' is concatenation. Assuming SHA-512 is a cryptographically secure > hash H trivially is as well. (Nothing in the definition of a cryptographic > hash function says anything about minimality.) But H(X) is clearly not > useful for producing a PRNG. > > If you think this is "obviously" wrong, consider instead: > > H1(X) = SHA-512(X) || SHA-512(SHA-512(X)) > > Could you determine, just from black-box access to H1, that it's equally bad > as a PRNG? (You could certainly do it with about 2^256 calls to H1 with > distinct inputs - by then you have a .5 chance of a duplicated top half of > the output, almost certainly with a distinct bottom half. But that's a > pretty serious bit of testing....) > > I don't actually know if there exists a construction of a PRNG from a > cryptographically secure hash function. (You can build a MAC, but even > that's not trivial; people tried all kinds of things that failed until the > HMAC construction was proven correct.) > -- Jerry > > _______________________________________________ > The cryptography mailing list > cryptography@metzdowd.com > http://www.metzdowd.com/mailman/listinfo/cryptography _______________________________________________ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography