Comment by austin-cheney
4 days ago
That misses a factor called good enough, or degree of predictability. Ultimately everything eventually becomes predictable if analyzed deeply enough. Another word for that is entropy. That is what my linked comment referred to. For security concerns, such as PRNGs, the appearance of randomness is not enough.
This is why security analysis requires a higher threshold than software employment at large.
A hash function cannot create entropy. Let's be clear about that.
A good hash function will preserve entropy, up to the length of its output. If the input X has K bits of entropy and H is an N-bit cryptographic hash function, then the entropy of H(X) is min(K, N). In simpler terms, GIGO.
However, a hash function also scrambles its input, which means the output is indistinguishable from (uniform) random noise. This is the randomizing property I was talking about. It is good enough for hash functions to be used to build stronger primitives, like HMACs, PBKDFs, CSPRNGs, etc. There are many formalizations of this property, but one of the simplest is that given any K bits of the output, you cannot predict the other N-K output bits any better than guessing, even knowing the algorithm.
Of course, if you know the input to a hash function, you can predict the output perfectly. But if you don't know the input, the hash looks like random noise, and for cryptographic hash functions, this is a very strong and fundamental guarantee indeed.
I agree that hash functions do not create entropy. That is what I have been saying all along.
> Ultimately everything eventually becomes predictable if analyzed deeply enough.
How would this apply to hash algorithms, but not CSPRNGs?