... > Let H(X) = SHA-512(X) || SHA-512(X) > where '||' is concatenation. Assuming SHA-512 is a cryptographically secure > hash H trivially is as well. (Nothing in the definition of a cryptographic > hash function says anything about minimality.) But H(X) is clearly not > useful for producing a PRNG.
You won't get a prf or stream cipher or prng or block cipher just out of collision resistance--you need some kind of pseudorandomness assumption. We expect general purpose hash functions like Keccak to provide that, but it doesn't follow from the collision resistance assumption, for exactly the reason you gave there--it's possible to design collision-resistant functions that leak input or are predictable in some bits. > I don't actually know if there exists a construction of a PRNG from a > cryptographically secure hash function. (You can build a MAC, but even > that's not trivial; people tried all kinds of things that failed until the > HMAC construction was proven correct.) The HMAC construction wouldn't give a PRF for your example of h(x) = sha512(x) || sha512(x) A single output would be trivial to distinguish from a 1024 bit random number. > -- Jerry --John _______________________________________________ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography