[701] in cryptography@c2.net mail archive
Re: Random numbers from the '60's...
daemon@ATHENA.MIT.EDU (Perry E. Metzger)
Tue May 6 00:53:59 1997
To: Bill Frantz <frantz@netcom.com>
cc: cryptography@c2.net
In-reply-to: Your message of "Mon, 05 May 1997 21:21:03 PDT."
<v03007808af9461d9902d@[207.94.249.214]>
Reply-To: perry@piermont.com
Date: Tue, 06 May 1997 00:40:35 -0400
From: "Perry E. Metzger" <perry@piermont.com>
Bill Frantz writes:
> The only bright point in the whole gathering entropy mess is that if you
> properly combine 14 bad sources with one good one, you get good output.
> Almost the only place in computer science where you can say this. :-)
I'm worried about this, actually.
It feels right, but the times that I've asked smart crypto people
(such as Hugo K., and Matt Blaze) for an answer to the question "can
you distil entropy with a hash function", I've gotten answers that
ranged from "Interesting question!" to "Well, it *should* be possible
to answer that question one way or another... I'll try to prove some
properties you'd need..."
Now, I have no reason to believe there is much wrong with what we do
these days, but those sorts of answers don't give me strong comfort. I
remember when we first started playing with keyed hashes and it seemed
"obvious" that they worked without any need for really deep analysis
-- until Hugo showed up and demonstrated we hadn't really analyzed the
situation thoroughly.
Again, I don't have any reason to believe that hashes aren't utterly
safe for entropy distillation -- but until I see less equivocation
from the theory guys, I'm at least a tad nervous.
Perry
