Do hash functions need to “look random”?











up vote
5
down vote

favorite
1












I've noticed that looking random is not often listed as a requirement for a good hash function in the same way that preimage or collision resistance is.




  • Do we need hash functions to look random?


Specifically, suppose $s$ is a seed, and consider the PRNG that outputs $$H(s |0) | H(s |1 ) | H(s |2) | ...$$




  • Do we need this to be indistinguishable from random?

  • Will any protocols be weakened if it wasn't?






hash random-number-generator







share|improve this question




















  • 1




    looking random? What is the definition? We can apply some statistical test to determine the randomness. If they fail to pass some margins, this will indicate that there is some weakness in the construction to behave like randomly.
    – kelalaka
    Nov 8 at 9:03












  • Note that for hash functions to have $n$ bits of security or $n/2$ bits of security for collision resistance you would expect a relatively well distributed output: if some values are more likely then the security of the function would also be affected. A hash with an output of 256 bits would not deliver 256 / 128 bits of security, in other words.
    – Maarten Bodewes
    Nov 8 at 15:13










  • "Being random" is an opposite to "having patterns". And "having patterns" is close to "insecure". So if you are talking about cryptografically secure hash function then I would say "yes".
    – freakish
    Nov 8 at 20:53












  • I found that Matthew Green's blog post about indifferentiability and his series about the Random Oracle Model are wonky-but-not-too-hard readings to get a beginner's sense of hash functions vs. randomness. Lots of linked references to follow up, too.
    – Luis Casillas
    Nov 9 at 0:25










  • @kelalaka By "looking random" I mean : For every efficient adversary that takes in a bitstring and outputs 0 or 1, give the adversary either H(s ||0) || H(s || 1) || H(s || 2) || ...., or a random string . The difference in the probability that the adversary outputs 1 is negligible.
    – David Lui
    Nov 9 at 4:58















up vote
5
down vote

favorite
1












I've noticed that looking random is not often listed as a requirement for a good hash function in the same way that preimage or collision resistance is.




  • Do we need hash functions to look random?


Specifically, suppose $s$ is a seed, and consider the PRNG that outputs $$H(s |0) | H(s |1 ) | H(s |2) | ...$$




  • Do we need this to be indistinguishable from random?

  • Will any protocols be weakened if it wasn't?






hash random-number-generator







share|improve this question




















  • 1




    looking random? What is the definition? We can apply some statistical test to determine the randomness. If they fail to pass some margins, this will indicate that there is some weakness in the construction to behave like randomly.
    – kelalaka
    Nov 8 at 9:03












  • Note that for hash functions to have $n$ bits of security or $n/2$ bits of security for collision resistance you would expect a relatively well distributed output: if some values are more likely then the security of the function would also be affected. A hash with an output of 256 bits would not deliver 256 / 128 bits of security, in other words.
    – Maarten Bodewes
    Nov 8 at 15:13










  • "Being random" is an opposite to "having patterns". And "having patterns" is close to "insecure". So if you are talking about cryptografically secure hash function then I would say "yes".
    – freakish
    Nov 8 at 20:53












  • I found that Matthew Green's blog post about indifferentiability and his series about the Random Oracle Model are wonky-but-not-too-hard readings to get a beginner's sense of hash functions vs. randomness. Lots of linked references to follow up, too.
    – Luis Casillas
    Nov 9 at 0:25










  • @kelalaka By "looking random" I mean : For every efficient adversary that takes in a bitstring and outputs 0 or 1, give the adversary either H(s ||0) || H(s || 1) || H(s || 2) || ...., or a random string . The difference in the probability that the adversary outputs 1 is negligible.
    – David Lui
    Nov 9 at 4:58













up vote
5
down vote

favorite
1









up vote
5
down vote

favorite
1






1





I've noticed that looking random is not often listed as a requirement for a good hash function in the same way that preimage or collision resistance is.




  • Do we need hash functions to look random?


Specifically, suppose $s$ is a seed, and consider the PRNG that outputs $$H(s |0) | H(s |1 ) | H(s |2) | ...$$




  • Do we need this to be indistinguishable from random?

  • Will any protocols be weakened if it wasn't?






hash random-number-generator







share|improve this question















I've noticed that looking random is not often listed as a requirement for a good hash function in the same way that preimage or collision resistance is.




  • Do we need hash functions to look random?


Specifically, suppose $s$ is a seed, and consider the PRNG that outputs $$H(s |0) | H(s |1 ) | H(s |2) | ...$$




  • Do we need this to be indistinguishable from random?

  • Will any protocols be weakened if it wasn't?






hash random-number-generator




hash random-number-generator






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Nov 8 at 9:04









kelalaka

4,07211635




4,07211635










asked Nov 8 at 8:26









David Lui

1533




1533








  • 1




    looking random? What is the definition? We can apply some statistical test to determine the randomness. If they fail to pass some margins, this will indicate that there is some weakness in the construction to behave like randomly.
    – kelalaka
    Nov 8 at 9:03












  • Note that for hash functions to have $n$ bits of security or $n/2$ bits of security for collision resistance you would expect a relatively well distributed output: if some values are more likely then the security of the function would also be affected. A hash with an output of 256 bits would not deliver 256 / 128 bits of security, in other words.
    – Maarten Bodewes
    Nov 8 at 15:13










  • "Being random" is an opposite to "having patterns". And "having patterns" is close to "insecure". So if you are talking about cryptografically secure hash function then I would say "yes".
    – freakish
    Nov 8 at 20:53












  • I found that Matthew Green's blog post about indifferentiability and his series about the Random Oracle Model are wonky-but-not-too-hard readings to get a beginner's sense of hash functions vs. randomness. Lots of linked references to follow up, too.
    – Luis Casillas
    Nov 9 at 0:25










  • @kelalaka By "looking random" I mean : For every efficient adversary that takes in a bitstring and outputs 0 or 1, give the adversary either H(s ||0) || H(s || 1) || H(s || 2) || ...., or a random string . The difference in the probability that the adversary outputs 1 is negligible.
    – David Lui
    Nov 9 at 4:58














  • 1




    looking random? What is the definition? We can apply some statistical test to determine the randomness. If they fail to pass some margins, this will indicate that there is some weakness in the construction to behave like randomly.
    – kelalaka
    Nov 8 at 9:03












  • Note that for hash functions to have $n$ bits of security or $n/2$ bits of security for collision resistance you would expect a relatively well distributed output: if some values are more likely then the security of the function would also be affected. A hash with an output of 256 bits would not deliver 256 / 128 bits of security, in other words.
    – Maarten Bodewes
    Nov 8 at 15:13










  • "Being random" is an opposite to "having patterns". And "having patterns" is close to "insecure". So if you are talking about cryptografically secure hash function then I would say "yes".
    – freakish
    Nov 8 at 20:53












  • I found that Matthew Green's blog post about indifferentiability and his series about the Random Oracle Model are wonky-but-not-too-hard readings to get a beginner's sense of hash functions vs. randomness. Lots of linked references to follow up, too.
    – Luis Casillas
    Nov 9 at 0:25










  • @kelalaka By "looking random" I mean : For every efficient adversary that takes in a bitstring and outputs 0 or 1, give the adversary either H(s ||0) || H(s || 1) || H(s || 2) || ...., or a random string . The difference in the probability that the adversary outputs 1 is negligible.
    – David Lui
    Nov 9 at 4:58








1




1




looking random? What is the definition? We can apply some statistical test to determine the randomness. If they fail to pass some margins, this will indicate that there is some weakness in the construction to behave like randomly.
– kelalaka
Nov 8 at 9:03






looking random? What is the definition? We can apply some statistical test to determine the randomness. If they fail to pass some margins, this will indicate that there is some weakness in the construction to behave like randomly.
– kelalaka
Nov 8 at 9:03














Note that for hash functions to have $n$ bits of security or $n/2$ bits of security for collision resistance you would expect a relatively well distributed output: if some values are more likely then the security of the function would also be affected. A hash with an output of 256 bits would not deliver 256 / 128 bits of security, in other words.
– Maarten Bodewes
Nov 8 at 15:13




Note that for hash functions to have $n$ bits of security or $n/2$ bits of security for collision resistance you would expect a relatively well distributed output: if some values are more likely then the security of the function would also be affected. A hash with an output of 256 bits would not deliver 256 / 128 bits of security, in other words.
– Maarten Bodewes
Nov 8 at 15:13












"Being random" is an opposite to "having patterns". And "having patterns" is close to "insecure". So if you are talking about cryptografically secure hash function then I would say "yes".
– freakish
Nov 8 at 20:53






"Being random" is an opposite to "having patterns". And "having patterns" is close to "insecure". So if you are talking about cryptografically secure hash function then I would say "yes".
– freakish
Nov 8 at 20:53














I found that Matthew Green's blog post about indifferentiability and his series about the Random Oracle Model are wonky-but-not-too-hard readings to get a beginner's sense of hash functions vs. randomness. Lots of linked references to follow up, too.
– Luis Casillas
Nov 9 at 0:25




I found that Matthew Green's blog post about indifferentiability and his series about the Random Oracle Model are wonky-but-not-too-hard readings to get a beginner's sense of hash functions vs. randomness. Lots of linked references to follow up, too.
– Luis Casillas
Nov 9 at 0:25












@kelalaka By "looking random" I mean : For every efficient adversary that takes in a bitstring and outputs 0 or 1, give the adversary either H(s ||0) || H(s || 1) || H(s || 2) || ...., or a random string . The difference in the probability that the adversary outputs 1 is negligible.
– David Lui
Nov 9 at 4:58




@kelalaka By "looking random" I mean : For every efficient adversary that takes in a bitstring and outputs 0 or 1, give the adversary either H(s ||0) || H(s || 1) || H(s || 2) || ...., or a random string . The difference in the probability that the adversary outputs 1 is negligible.
– David Lui
Nov 9 at 4:58










1 Answer
1






active

oldest

votes

















up vote
15
down vote



accepted










The answer is most certainly not! Well, I sort of lied, since it depends on what you are doing. I'll explain.



The basic property of hash functions is collision resistance, and this requires nothing beyond that. The output doesn't have to look random in any form, and this suffices for anywhere that you need collision resistance.



However, in many cases, because most hash functions in practice do look sort of random (completely undefined), they are used for other things. For example, HMAC assumes that the compression function (with one part of the input being the key) is essentially a pseudorandom function. More extreme, but very common examples, are the modeling of the hash function as a "random oracle". This is used for OEAP encryption padding, in most cases in practice for signatures, and more. You also somewhat assume this property for hashing passwords. (Note that for any hash function $H$, if you define $H'(x) = x|_n|H(x)$ where $x|_n$ is the first $n$ bits of $x$, then $H'$ is collision resistant if $H$ is collision resistant. However $H'$ would be a very poor choice for password hashing.)






share|improve this answer

















  • 1




    It's also good to add that there is a strong separation between collision-resistance and "looking random", i.e. you can have collision-resistant hash functions whose output does not look random at all! e.g. $H'(x) = 0^ell|H(x)$ where $H$ is a collision-resistant hash function. (Realized you addressed this in the answer already)
    – Daniel
    Nov 8 at 13:33








  • 1




    @Daniel You can even give an example in the other direction. I.e., a function can look random for some reasonable interpretation of "looking random" but have trivial collisions. E.g., if the function would happen to be a PRG for inputs somewhat shorter than the output size. Those certainly "look random", but their security says nothing about collisions.
    – Maeher
    Nov 8 at 14:57








  • 1




    An interesting class of hashes to consider in this discussion are similarity preserving hashes. These are very intentionally and specifically non-random, and are very useful in a number of scenarios. A survey of the motivations and methods is given here: arxiv.org/pdf/1408.2927.pdf
    – Ken Goss
    Nov 8 at 15:16






  • 1




    @UKMonkey this is not a good example since it doesn’t compress the output. Collision resistance without compression is trivial and uninteresting.
    – Yehuda Lindell
    Nov 8 at 15:33






  • 1




    @UKMonkey an arbitrary size means that it has to work for arbitrary size inputs, so also large inputs.
    – Yehuda Lindell
    Nov 8 at 15:42











Your Answer





StackExchange.ifUsing("editor", function () {
return StackExchange.using("mathjaxEditing", function () {
StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix) {
StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["$", "$"], ["\\(","\\)"]]);
});
});
}, "mathjax-editing");

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "281"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f63780%2fdo-hash-functions-need-to-look-random%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes








up vote
15
down vote



accepted










The answer is most certainly not! Well, I sort of lied, since it depends on what you are doing. I'll explain.



The basic property of hash functions is collision resistance, and this requires nothing beyond that. The output doesn't have to look random in any form, and this suffices for anywhere that you need collision resistance.



However, in many cases, because most hash functions in practice do look sort of random (completely undefined), they are used for other things. For example, HMAC assumes that the compression function (with one part of the input being the key) is essentially a pseudorandom function. More extreme, but very common examples, are the modeling of the hash function as a "random oracle". This is used for OEAP encryption padding, in most cases in practice for signatures, and more. You also somewhat assume this property for hashing passwords. (Note that for any hash function $H$, if you define $H'(x) = x|_n|H(x)$ where $x|_n$ is the first $n$ bits of $x$, then $H'$ is collision resistant if $H$ is collision resistant. However $H'$ would be a very poor choice for password hashing.)






share|improve this answer

















  • 1




    It's also good to add that there is a strong separation between collision-resistance and "looking random", i.e. you can have collision-resistant hash functions whose output does not look random at all! e.g. $H'(x) = 0^ell|H(x)$ where $H$ is a collision-resistant hash function. (Realized you addressed this in the answer already)
    – Daniel
    Nov 8 at 13:33








  • 1




    @Daniel You can even give an example in the other direction. I.e., a function can look random for some reasonable interpretation of "looking random" but have trivial collisions. E.g., if the function would happen to be a PRG for inputs somewhat shorter than the output size. Those certainly "look random", but their security says nothing about collisions.
    – Maeher
    Nov 8 at 14:57








  • 1




    An interesting class of hashes to consider in this discussion are similarity preserving hashes. These are very intentionally and specifically non-random, and are very useful in a number of scenarios. A survey of the motivations and methods is given here: arxiv.org/pdf/1408.2927.pdf
    – Ken Goss
    Nov 8 at 15:16






  • 1




    @UKMonkey this is not a good example since it doesn’t compress the output. Collision resistance without compression is trivial and uninteresting.
    – Yehuda Lindell
    Nov 8 at 15:33






  • 1




    @UKMonkey an arbitrary size means that it has to work for arbitrary size inputs, so also large inputs.
    – Yehuda Lindell
    Nov 8 at 15:42















up vote
15
down vote



accepted










The answer is most certainly not! Well, I sort of lied, since it depends on what you are doing. I'll explain.



The basic property of hash functions is collision resistance, and this requires nothing beyond that. The output doesn't have to look random in any form, and this suffices for anywhere that you need collision resistance.



However, in many cases, because most hash functions in practice do look sort of random (completely undefined), they are used for other things. For example, HMAC assumes that the compression function (with one part of the input being the key) is essentially a pseudorandom function. More extreme, but very common examples, are the modeling of the hash function as a "random oracle". This is used for OEAP encryption padding, in most cases in practice for signatures, and more. You also somewhat assume this property for hashing passwords. (Note that for any hash function $H$, if you define $H'(x) = x|_n|H(x)$ where $x|_n$ is the first $n$ bits of $x$, then $H'$ is collision resistant if $H$ is collision resistant. However $H'$ would be a very poor choice for password hashing.)






share|improve this answer

















  • 1




    It's also good to add that there is a strong separation between collision-resistance and "looking random", i.e. you can have collision-resistant hash functions whose output does not look random at all! e.g. $H'(x) = 0^ell|H(x)$ where $H$ is a collision-resistant hash function. (Realized you addressed this in the answer already)
    – Daniel
    Nov 8 at 13:33








  • 1




    @Daniel You can even give an example in the other direction. I.e., a function can look random for some reasonable interpretation of "looking random" but have trivial collisions. E.g., if the function would happen to be a PRG for inputs somewhat shorter than the output size. Those certainly "look random", but their security says nothing about collisions.
    – Maeher
    Nov 8 at 14:57








  • 1




    An interesting class of hashes to consider in this discussion are similarity preserving hashes. These are very intentionally and specifically non-random, and are very useful in a number of scenarios. A survey of the motivations and methods is given here: arxiv.org/pdf/1408.2927.pdf
    – Ken Goss
    Nov 8 at 15:16






  • 1




    @UKMonkey this is not a good example since it doesn’t compress the output. Collision resistance without compression is trivial and uninteresting.
    – Yehuda Lindell
    Nov 8 at 15:33






  • 1




    @UKMonkey an arbitrary size means that it has to work for arbitrary size inputs, so also large inputs.
    – Yehuda Lindell
    Nov 8 at 15:42













up vote
15
down vote



accepted







up vote
15
down vote



accepted






The answer is most certainly not! Well, I sort of lied, since it depends on what you are doing. I'll explain.



The basic property of hash functions is collision resistance, and this requires nothing beyond that. The output doesn't have to look random in any form, and this suffices for anywhere that you need collision resistance.



However, in many cases, because most hash functions in practice do look sort of random (completely undefined), they are used for other things. For example, HMAC assumes that the compression function (with one part of the input being the key) is essentially a pseudorandom function. More extreme, but very common examples, are the modeling of the hash function as a "random oracle". This is used for OEAP encryption padding, in most cases in practice for signatures, and more. You also somewhat assume this property for hashing passwords. (Note that for any hash function $H$, if you define $H'(x) = x|_n|H(x)$ where $x|_n$ is the first $n$ bits of $x$, then $H'$ is collision resistant if $H$ is collision resistant. However $H'$ would be a very poor choice for password hashing.)






share|improve this answer












The answer is most certainly not! Well, I sort of lied, since it depends on what you are doing. I'll explain.



The basic property of hash functions is collision resistance, and this requires nothing beyond that. The output doesn't have to look random in any form, and this suffices for anywhere that you need collision resistance.



However, in many cases, because most hash functions in practice do look sort of random (completely undefined), they are used for other things. For example, HMAC assumes that the compression function (with one part of the input being the key) is essentially a pseudorandom function. More extreme, but very common examples, are the modeling of the hash function as a "random oracle". This is used for OEAP encryption padding, in most cases in practice for signatures, and more. You also somewhat assume this property for hashing passwords. (Note that for any hash function $H$, if you define $H'(x) = x|_n|H(x)$ where $x|_n$ is the first $n$ bits of $x$, then $H'$ is collision resistant if $H$ is collision resistant. However $H'$ would be a very poor choice for password hashing.)







share|improve this answer












share|improve this answer



share|improve this answer










answered Nov 8 at 12:21









Yehuda Lindell

18.2k3359




18.2k3359








  • 1




    It's also good to add that there is a strong separation between collision-resistance and "looking random", i.e. you can have collision-resistant hash functions whose output does not look random at all! e.g. $H'(x) = 0^ell|H(x)$ where $H$ is a collision-resistant hash function. (Realized you addressed this in the answer already)
    – Daniel
    Nov 8 at 13:33








  • 1




    @Daniel You can even give an example in the other direction. I.e., a function can look random for some reasonable interpretation of "looking random" but have trivial collisions. E.g., if the function would happen to be a PRG for inputs somewhat shorter than the output size. Those certainly "look random", but their security says nothing about collisions.
    – Maeher
    Nov 8 at 14:57








  • 1




    An interesting class of hashes to consider in this discussion are similarity preserving hashes. These are very intentionally and specifically non-random, and are very useful in a number of scenarios. A survey of the motivations and methods is given here: arxiv.org/pdf/1408.2927.pdf
    – Ken Goss
    Nov 8 at 15:16






  • 1




    @UKMonkey this is not a good example since it doesn’t compress the output. Collision resistance without compression is trivial and uninteresting.
    – Yehuda Lindell
    Nov 8 at 15:33






  • 1




    @UKMonkey an arbitrary size means that it has to work for arbitrary size inputs, so also large inputs.
    – Yehuda Lindell
    Nov 8 at 15:42














  • 1




    It's also good to add that there is a strong separation between collision-resistance and "looking random", i.e. you can have collision-resistant hash functions whose output does not look random at all! e.g. $H'(x) = 0^ell|H(x)$ where $H$ is a collision-resistant hash function. (Realized you addressed this in the answer already)
    – Daniel
    Nov 8 at 13:33








  • 1




    @Daniel You can even give an example in the other direction. I.e., a function can look random for some reasonable interpretation of "looking random" but have trivial collisions. E.g., if the function would happen to be a PRG for inputs somewhat shorter than the output size. Those certainly "look random", but their security says nothing about collisions.
    – Maeher
    Nov 8 at 14:57








  • 1




    An interesting class of hashes to consider in this discussion are similarity preserving hashes. These are very intentionally and specifically non-random, and are very useful in a number of scenarios. A survey of the motivations and methods is given here: arxiv.org/pdf/1408.2927.pdf
    – Ken Goss
    Nov 8 at 15:16






  • 1




    @UKMonkey this is not a good example since it doesn’t compress the output. Collision resistance without compression is trivial and uninteresting.
    – Yehuda Lindell
    Nov 8 at 15:33






  • 1




    @UKMonkey an arbitrary size means that it has to work for arbitrary size inputs, so also large inputs.
    – Yehuda Lindell
    Nov 8 at 15:42








1




1




It's also good to add that there is a strong separation between collision-resistance and "looking random", i.e. you can have collision-resistant hash functions whose output does not look random at all! e.g. $H'(x) = 0^ell|H(x)$ where $H$ is a collision-resistant hash function. (Realized you addressed this in the answer already)
– Daniel
Nov 8 at 13:33






It's also good to add that there is a strong separation between collision-resistance and "looking random", i.e. you can have collision-resistant hash functions whose output does not look random at all! e.g. $H'(x) = 0^ell|H(x)$ where $H$ is a collision-resistant hash function. (Realized you addressed this in the answer already)
– Daniel
Nov 8 at 13:33






1




1




@Daniel You can even give an example in the other direction. I.e., a function can look random for some reasonable interpretation of "looking random" but have trivial collisions. E.g., if the function would happen to be a PRG for inputs somewhat shorter than the output size. Those certainly "look random", but their security says nothing about collisions.
– Maeher
Nov 8 at 14:57






@Daniel You can even give an example in the other direction. I.e., a function can look random for some reasonable interpretation of "looking random" but have trivial collisions. E.g., if the function would happen to be a PRG for inputs somewhat shorter than the output size. Those certainly "look random", but their security says nothing about collisions.
– Maeher
Nov 8 at 14:57






1




1




An interesting class of hashes to consider in this discussion are similarity preserving hashes. These are very intentionally and specifically non-random, and are very useful in a number of scenarios. A survey of the motivations and methods is given here: arxiv.org/pdf/1408.2927.pdf
– Ken Goss
Nov 8 at 15:16




An interesting class of hashes to consider in this discussion are similarity preserving hashes. These are very intentionally and specifically non-random, and are very useful in a number of scenarios. A survey of the motivations and methods is given here: arxiv.org/pdf/1408.2927.pdf
– Ken Goss
Nov 8 at 15:16




1




1




@UKMonkey this is not a good example since it doesn’t compress the output. Collision resistance without compression is trivial and uninteresting.
– Yehuda Lindell
Nov 8 at 15:33




@UKMonkey this is not a good example since it doesn’t compress the output. Collision resistance without compression is trivial and uninteresting.
– Yehuda Lindell
Nov 8 at 15:33




1




1




@UKMonkey an arbitrary size means that it has to work for arbitrary size inputs, so also large inputs.
– Yehuda Lindell
Nov 8 at 15:42




@UKMonkey an arbitrary size means that it has to work for arbitrary size inputs, so also large inputs.
– Yehuda Lindell
Nov 8 at 15:42


















draft saved

draft discarded




















































Thanks for contributing an answer to Cryptography Stack Exchange!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


Use MathJax to format equations. MathJax reference.


To learn more, see our tips on writing great answers.





Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


Please pay close attention to the following guidance:


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f63780%2fdo-hash-functions-need-to-look-random%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







-

這個網誌中的熱門文章

Academy of Television Arts & Sciences

圖片
American television organization Academy of Television Arts & Sciences Founded 1946 ; 73 years ago  ( 1946 ) Location North Hollywood, California, United States Area served Television industry Product Emmy Awards Key people Frank Scherma ( Chairman and CEO ) Website televisionacademy.com [redirects to emmys.com , official website of the Emmys and the Television Academy The Academy of Television Arts & Sciences ( ATAS ), also colloquially known as the Television Academy , is a professional honorary organization dedicated to the advancement of the television industry in the United States. Founded in 1946, the organization presents the Primetime Emmy Awards, an annual ceremony honoring achievement in U.S. primetime television. Contents 1 History 2 Emmy Award 3 Publications and programs 4 Current governance 4.1 Board of Governors 5 Television Academy honors 5.1 1st Annual (2008) 5.2 2nd Annual (2009)...
閱讀完整內容

L'Équipe

圖片
For other uses, see Équipe (disambiguation). L'Équipe The front page of L'Équipe on 4 July 2011 Type Daily newspaper Format Tabloid Owner(s) Éditions Philippe Amaury Editor François Morinière Editor-in-chief Fabrice Jouhaud Founded 1946 Language French Headquarters Boulogne-Billancourt ISSN 0153-1069 Website www.lequipe.fr L'Équipe ( pronounced  [lekip] , French for "the team") is a French nationwide daily newspaper devoted to sport, owned by Éditions Philippe Amaury. The paper is noted for coverage of association football , rugby, motorsport and cycling. Its predecessor was L'Auto , a general sports paper whose name reflected not any narrow interest but the excitement of the time in car racing. L'Auto originated the Tour de France cycling stage race in 1903 as a circulation booster. The race leader's yellow jersey (French: maillot jaune ) was instituted in 1919, probably to reflect the dist...
閱讀完整內容

1995 France bombings

圖片
This article is a rough translation from French . It may have been generated by a computer or by a translator without dual proficiency. Please help to enhance the translation. The original article is under "français" in the "languages" sidebar. See this article's entry on Pages needing translation into English for discussion. 1995 France bombings Part of Algerian Civil War (spillover) Plaque commemorating the victims of the Saint-Michel station bombing on 25 July 1995 Location Paris and Lyon, France Date 25 July 1995  ( 1995-07-25 ) – 17 October 1995  ( 1995-10-17 ) Weapons Improvised explosive devices, school bombing Deaths 8 Non-fatal injuries 157 Perpetrator Armed Islamic Group Motive To induce the French government to withdraw support from the Algerian government during the Algerian Civil War The 1995 bombings in France were carried out by the Armed Islamic Group (GIA), who were broadening the Alger...
閱讀完整內容