building a true RNG
John S. Denker
jsd at monmouth.com
Fri Aug 2 07:27:45 EDT 2002
David Wagner <daw at cs.berkeley.edu> writes:
>>> I don't know of any good cryptographic hash function
>>> that comes with a proof that all outputs are possible.
What about the scheme
Pad -> Encipher -> Contract
described at
http://www.monmouth.com/~jsd/turbid/paper/turbid.htm#sec-uniform-hash
>>> if we apply the Luby-Rackoff construction
>>> (i.e., 3 rounds of a Feistel cipher), with
>>> ideal hash functions in each round, does this have
>>> the desired properties? It might.
Paul Crowley wrote:
> >
> > This seems to define a block cipher with no key, which is collision
> > free but not one-way. Am I misunderstanding what you're proposing?
David Wagner wrote:
>
> You understood it perfectly. Good point.
> I didn't notice that problem. Harrumph.
There is only the most minor of problems here, namely
that DAW mentioned a symmetric cipher. The problem goes
away if you use asymmetric crypto. You want a cipher with
no _deciphering_ key, as described in my paper. (op. cit.)
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list