Re: SHA2 output as subsequent SHA2 input

Chris McDonald <chris@xxxxxxxxxxxxxxx> writes:
(Please excuse this naive question!)

I've been asked to investigate the use of SHA2 for random number
generation. I've located some explanations of that, but my reading
has generated two additional questions, whose answers are probably well
understood by readers here.

- Let's say that I have a hash function H and a key K.
Are there any known weakness in the sequence of hash results if I
keep using the hash output as the next hash input:

R0 = H(K)
R1 = H(R0)
R2 = H(R1)
....
Ri+1 = H(Ri)

Except R_n \in Range(H^n), you mean?

H^i will have some short cycles. If you're unlucky enough to
start in a particularly short one (which is unlikely, admittedly),
you're buggered.

R_i = H(K||i), for example, does not have that same issue.

Obviously the hash's result would need to be sufficiently long.
In particular, could 256-bit SHA2 be used to provide such a sequence
of results?

_ If I wish to generate 32-bit integer pseudo random values, can I use, say,
the same 32-bits from the above sequence to provide these values:

V0 = 32bitsof(R0)
V1 = 32bitsof(R1)
....
Vi = 32bitsof(Ri)

Each subset of the bits of the hash is supposed to be equally
independent. Therefore the above will work as intended.

However, as all 256 bits are independent, you can get 8 32-bit
values from that 256 bit result.

R_{8i+j} = bits 32*j .. 32j+31 of H(K||i)

therefore does the job equally.


Phil
--
Dear aunt, let's set so double the killer delete select all.
-- Microsoft voice recognition live demonstration
.

Relevant Pages

  • SHA2 output as subsequent SHA2 input
    ... I've located some explanations of that, but my reading ... Are there any known weakness in the sequence of hash results if I ... could 256-bit SHA2 be used to provide such a sequence ...
    (sci.crypt)
  • Re: multiplexed IO suggestion?
    ... |I am revising the program to be more aware of when it needs to spin ... You can't lock a hash element. ... mainline harvesting routine that pulls the results out in sequence. ... If you have a lot of detached threads, ...
    (comp.lang.perl.misc)
  • Re: Suggestions for double-hashing scheme
    ... By definition, a probe sequence skips ... > Algorithm 6.4R (Deletion with linear probing). ... > hash libraries doesn't use double hashing. ... entries very easily; leading to extremely long reprobe sequences. ...
    (comp.programming)
  • Re: Summary of Bit-Level SHA Discussion
    ... If I tell you to do it as a sequence of bits, ... > hash a file considered as a sequence of bytes", ... data to the message should change the digest, ...
    (sci.crypt)
  • Re: Question about tcp hash function tcp_hashfn()
    ... better small packet performance would be experienced (i.e. your ... It has better hash coverage because MD4 and other ... cryptographic algorithms used for initial sequence number ... the jenkins hash is essentially free. ...
    (Linux-Kernel)