[cryptography] Weak random data XOR good enough random data = better random data?

Joseph Ashwood ashwood at msn.com
Wed Sep 3 18:04:48 EDT 2014


From: Lodewijk andré de la porte
Subject: Re: [cryptography] Weak random data XOR good enough random data = 
better random data?

> Come to think of it, is there or why isn't there a block-cipher mode that 
> chains using a hashing algorithm?

The main reason would be difficulty in proving security.

Spacing on the term right now, but I’ll call it a cycle. Every hash function 
has cycles, so to define it:

H[0] = Hash(input)
H[N]= Hash(H[N-1])

The problem is that H[i] == H[j] where i =/= j. Every input for every hash 
has cycles, and current hashes have large numbers of them.

CTR mode relies on the cycle length being the 2^block_size. CBC relies on 
the cycle length being very long. Proving the minimum cycle length in a hash 
is not something that I am aware ever having been done, making it 
effectively impossible to prove security.

So while using a hash function in the block chaining sounds like a good 
idea, because we have proofs of security for CTR and CBC that say they are 
no weaker than the cipher, the hash mode would have to actually prove that 
it is stronger than the underlying cipher for the extra computation to be 
worth it.

I can’t say that it is impossible to do, just that it hasn't been done, and 
I don't expect it to be done.
                    Joe



More information about the cryptography mailing list