From: Datesfat Chicks on
Let's say I calculate an SHA-512 cryptographic hash.

Then (either as a hexadecimal string or as the binary representation) I feed
that hash through the SHA-512 algorithm to get a new hash.

Then I hash that hash.

Then I hash that hash.

Etc.

Are there any results in any of these directions:

a)Whether doing this will eventually lead to a "cycle" (you'll see the same
value again).

b)The average length of the "cycle".

Clearly, a "cycle" will exist, and the length will be longer than 2^512
elements ... but I'm wondering if anything else is known ...

Thanks, Datesfat

From: Bryan on
Datesfat Chicks wrote:
> Let's say I calculate an SHA-512 cryptographic hash.
>
> Then (either as a hexadecimal string or as the binary representation) I feed
> that hash through the SHA-512 algorithm to get a new hash.
>
> Then I hash that hash.
>
> Then I hash that hash.
>
> Etc.
>
> Are there any results in any of these directions:
>
> a)Whether doing this will eventually lead to a "cycle" (you'll see the same
> value again).

Solid result: Yes, iterated hashing will eventually lead to a cycle.

> b)The average length of the "cycle".

No cycles have been explicitly found. If we optimistically model
SHA-512 as a random mapping of arbitrary bit strings to 512-bit
stings, then the average cycle length is around 2**256.

> Clearly, a "cycle" will exist, and the length will be longer than 2^512
> elements ... but I'm wondering if anything else is known ...

Uh... you lost me. Clearly a cycle will exist, but it won't be longer
than 2^512. Was that a typo?


--
--Bryan
From: Datesfat Chicks on
"Bryan" <bryanjugglercryptographer(a)yahoo.com> wrote in message
news:5c4f0529-9c04-4d8f-8a25-7de03be3a77b(a)g1g2000pro.googlegroups.com...
>
>> Clearly, a "cycle" will exist, and the length will be longer than 2^512
>> elements ... but I'm wondering if anything else is known ...
>
> Uh... you lost me. Clearly a cycle will exist, but it won't be longer
> than 2^512. Was that a typo?

Yes, it was a typo. I meant to type "no longer than" for the obvious reason
that you're clearly aware of or you wouldn't have caught the typo.

Datesfat

From: Bryan on
Datesfat Chicks wrote:
> "Bryan" wrote
[D. Chicks had written:]
> >> Clearly, a "cycle" will exist, and the length will be longer than 2^512
> >> elements ... but I'm wondering if anything else is known ...
>
> > Uh... you lost me. Clearly a cycle will exist, but it won't be longer
> > than 2^512. Was that  a typo?
>
> Yes, it was a typo.  I meant to type "no longer than" for the obvious reason
> that you're clearly aware of or you wouldn't have caught the typo.

Ah, of course.

One result we can show is that if we can exhaust cycles, then we can
find collisions or possibly pre-images. Thus if we believe our
function is a secure cryptographic hash, we must also believe the
cycles are intractably long to walk.

Is that a "solid result", as you requested? I find it reasonably
satisfying in some ways. In other ways, not so much.

--
--Bryan Olson
From: Datesfat Chicks on
"Bryan" <bryanjugglercryptographer(a)yahoo.com> wrote in message
news:bb46f9fd-6295-4d4a-aa13-1e62e0f69a71(a)v29g2000prb.googlegroups.com...
Datesfat Chicks wrote:
> "Bryan" wrote
[D. Chicks had written:]
> >> Clearly, a "cycle" will exist, and the length will be longer than 2^512
> >> elements ... but I'm wondering if anything else is known ...
>
> > Uh... you lost me. Clearly a cycle will exist, but it won't be longer
> > than 2^512. Was that a typo?
>
> Yes, it was a typo. I meant to type "no longer than" for the obvious
> reason
> that you're clearly aware of or you wouldn't have caught the typo.
>
>Ah, of course.
>
>One result we can show is that if we can exhaust cycles, then we can
>find collisions or possibly pre-images. Thus if we believe our
>function is a secure cryptographic hash, we must also believe the
>cycles are intractably long to walk.
>
>Is that a "solid result", as you requested? I find it reasonably
>satisfying in some ways. In other ways, not so much.

I do inexpensive microcontroller work for a living, and there is a
pseudo-random number generator we use:

X(n+1) = (1664525 * X(n) + 1013904223) mod 4294967296,

where "4294967296" is 2**32.

The period was verified to be 2**32 using a PC.

One implication of the "full period" is that when the random number
generator is initialized, we can initialize the seed to any value, because
the "cycle" is all of the 2^32 bit patterns of the seed. So there are no
worries about "short cycles".

So, I was wondering if the same "full period" applied with cryptographic
hashes, or if there was any way to prove it or disprove it.

I did implement FIPS 180-3 (SHA-512) recently, and the document was very
clear, but I really don't understand what all those bit manipulations are
doing.

Datesfat