[11219] in cryptography@c2.net mail archive
Re: building a true RNG
daemon@ATHENA.MIT.EDU (David Wagner)
Sat Jul 27 17:35:01 2002
X-Envelope-To: cryptography@wasabisystems.com
To: cryptography@wasabisystems.com
From: daw@mozart.cs.berkeley.edu (David Wagner)
Date: 27 Jul 2002 20:15:02 GMT
X-Complaints-To: news@abraham.cs.berkeley.edu
John S. Denker wrote:
>Amir Herzberg wrote:
>> So I ask: is there a definition of this `no wasted entropy` property, which
>> hash functions can be assumed to have (and tested for), and which ensures
>> the desired extraction of randomness?
>
>That's the right question.
>
>The answer I give in the paper is
>
> What we are asking is not really very special. We
> merely ask that the hash-codes in the second
> column be well mixed.
Alas, that's not a very precise definition.
Actually, my intuition differs from yours. My intuition is that
entropy collection requires fairly strong assumptions about the hash.
For instance, collision-freedom isn't enough. One-wayness isn't enough.
We need something stronger, and something that appears difficult to
formalize in any precise, mathematically rigorous way.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@wasabisystems.com
