Hashing a seed together with a block counter and using as a encipherment scheme: What scheme is more secure in practice?

phantomcraft

11/24/23, 1:33 AM

This question is related to this (but it is not the same).

Let's suppose I have a seed with an entropy of 1024-bits and hash it with a counter using a hash function with one-quarter of the seed size in bits as BLAKE2s (256-bits digest size).

I hash the seed with counters and XOR the result to plaintext.

As said in this answer, some options are (the third I proposed by myself):

H(00∥F) ∥ H(01∥F) ∥ H(02∥F) ∥ H(03∥F)...
H(H(F)∥00) ∥ H(H(F)∥01) ∥ H(H(F)∥02) ∥ H(H(F)∥03)...
H(00∥H(F)) ∥ H(01∥H(F)) ∥ H(02∥H(F)) ∥ H(03∥H(F))...

/\ H is the hash, F is the file and 00, 01, 02, 03 the counters.

PS: For H(F∥00)∥H(F∥01)∥H(F∥02)∥H(F∥03), it was answered here.

Assuming that the hash function is not vulnerable to length-extension attacks and not caring about optimizations, what of these it is the most secure scheme in practice? And why?

1 + 2

seed

forest

11/24/23, 1:38 AM

Are you assuming the hash function is not vulnerable to length-extension attacks? And do you care about optimizations? Finally, do you care about which is slightly more secure in theory, or only whether or not one of them is more secure than the others _in practice_?

phantomcraft

11/24/23, 3:26 AM

I modified the question. What I want to know is what scheme is more secure (in practice). And yes, hash function should be immune to length-extension attacks, not counting optimizations (just what is more secure) and of course, what is more secure in practice (I don't like theories very much).

Score:2

Crypto

Daniel S

11/24/23, 7:39 AM

I’m unsure of your exact definition of practical, but the first scheme is more secure than the other two. From an entropy point of view, the second and third schemes throw away roughly three-quarters of the key entropy. Put another way, they have very large families of equivalent keys: every pair of values $F$ and $F’$ with $H(F)=H(F’)$ produce the same stream under schemes 2 and 3.

In particular, if $2^{128}$ instances of the cipher are used, there are likely to be two instances with the same key stream. This may not count as practical, but is very undesirable.

On a slightly related picky note, you should require that the seed have a large min-entropy and not just a large Shannon entropy. It is possible to construct sources of random numbers that have over, say, 1024-bits of entropy but which output one particular number, say, half of the time.

+ 4

phantomcraft

11/24/23, 5:29 PM

Are you saying 2^128 instances because it's half of Blake2s digest size (256-bits)?

Daniel S

11/24/23, 7:21 PM

@phantomcraft Yes, in particular that is the birthday bound for a collision.

phantomcraft

11/24/23, 11:10 PM

You said about birthday bound for a collision in another paragraph of your answer, did you mean that this is also applicable to H(00∥F) ∥ H(01∥F) ∥ H(02∥F) ∥ H(03∥F)... ?

Daniel S

11/25/23, 7:53 AM

The birthday issue does not apply as strongly in the first case, if $H$ is a well-designed hash function, then whole stream should only collide if $F=F'$. With cases 2 and 3 the streams will collide if $H(F)=H(F')$. For uniformly distributed $F$ and $F'$ the first is $2^{-1024}$ event and is likely to occur in a sample of $2^{512}$ streams; the second and third is a $2^{-256}$ event and is likely to occur in a sample of $2^{128}$ streams.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Hashing a seed together with a block counter and using as a encipherment scheme: What scheme is more secure in practice?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.