Extracting uniform randomness from noisy source
Paul Crowley
paul at ciphergoth.org
Mon Aug 12 05:56:50 EDT 2002
OK, here's an attempt at a formal definition of how secure a keyed
hash function is for entropy collection.
Here's the game. Our attacker selects an algorithm MUNGE which takes
an unbounded stream of random bits as input and generates random
strings as output. We then select a key K and reveal it to the
attacker. We take a secret unbounded stream, feed it to MUNGE, and
hash the output, using the key K. The attacker then makes as many
guesses about the output as they want until they get it exactly right.
The hash function is (H,t,p)-secure for entropy collection if for any
choice of attacker such that the entropy of the output of MUNGE is H
or greater and the total work of the attacker (including MUNGE) is
bounded by t, then the probability of a correct guess is p.
I suspect you can do without the key in an asymptotic model, but I'm
not so sure in the concrete model.
--
__ Paul Crowley
\/ o\ sig at paul.ciphergoth.org
/\__/ http://www.ciphergoth.org/
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list