[11233] in cryptography@c2.net mail archive
Re: building a true RNG
daemon@ATHENA.MIT.EDU (David Wagner)
Mon Jul 29 11:24:09 2002
From: David Wagner <daw@cs.berkeley.edu>
To: ben@algroup.co.uk (Ben Laurie)
Date: Sun, 28 Jul 2002 13:52:06 -0700 (PDT)
Cc: daw@cs.berkeley.edu (David Wagner),
daw@mozart.cs.berkeley.edu (David Wagner),
cryptography@wasabisystems.com
In-Reply-To: <3D4458D3.7080007@algroup.co.uk> from "Ben Laurie" at Jul 28, 2002 09:49:23 PM
> > Nitpick: You can sample from such a set. You can generate m randomx
> > values from this set with about 10m computations of SHA-1: simply pick
> > a random x, check whether SHA-1(x) has its first ten zeros, and if not
> > go back and pick another x until you find one that works.
>
> 1024m not 10m, surely?
Yes, sorry.
> Your point appears to be that its hard to justify in the standard
> "infinite computing power" model that maths likes to use, not that its
> generally hard to justify.
No, my point is stronger. It's hard to justify even in the standard
"security against computationally-bounded adversaries" model. I know
of *no* theoretically-rigorous justification for any practical entropy
sampling procedure without making unreasonable and untestable assumptions
about the input distribution, except in the random oracle model.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@wasabisystems.com
