Sent from my iPad

On Sep 3, 2013, at 6:06 PM, Jerry Leichter <> wrote:

> On Sep 3, 2013, at 3:16 PM, Faré <> wrote:
>> Can't you trivially transform a hash into a PRNG, a PRNG into a
>> cypher, and vice versa?
> No.
>> hash->PRNG: append blocks that are digest (seed ++ counter ++ seed)
> Let H(X) = SHA-512(X) || SHA-512(X)
> where '||' is concatenation.  Assuming SHA-512 is a cryptographically secure 
> hash H trivially is as well.  (Nothing in the definition of a cryptographic 
> hash function says anything about minimality.)  But H(X) is clearly not 
> useful for producing a PRNG.
> If you think this is "obviously" wrong, consider instead:
> H1(X) = SHA-512(X) || SHA-512(SHA-512(X))
> Could you determine, just from black-box access to H1, that it's equally bad 
> as a PRNG?  (You could certainly do it with about 2^256 calls to H1 with 
> distinct inputs - by then you have a .5 chance of a duplicated top half of 
> the output, almost certainly with a distinct bottom half.  But that's a 
> pretty serious bit of testing....)
> I don't actually know if there exists a construction of a PRNG from a 
> cryptographically secure hash function.  (You can build a MAC, but even 
> that's not trivial; people tried all kinds of things that failed until the 
> HMAC construction was proven correct.)
>                                                        -- Jerry
> _______________________________________________
> The cryptography mailing list
The cryptography mailing list

Reply via email to