building a true RNG
John S. Denker
jsd at monmouth.com
Sat Jul 27 14:39:06 EDT 2002
Amir Herzberg wrote:
>
> So I ask: is there a definition of this `no wasted entropy` property, which
> hash functions can be assumed to have (and tested for), and which ensures
> the desired extraction of randomness?
That's the right question.
The answer I give in the paper is
A cryptologic hash function advertises that it is
computationally infeasible for an adversary to unmix
the hash-codes.
A chosen-plaintext (chosen-input) attack will not
discover inputs that produce hash collisions with
any great probability.
In contrast:
What we are asking is not really very special. We
merely ask that the hash-codes in the second
column be well mixed.
We ask that the data acquisition system will not
accidentally produce an input pattern that unmixes
the hash-codes.
We believe that anything that makes a good pretense of being
a cryptologic hash function is good enough for our purposes,
with a wide margin of safety. If it resists attack when the
adversary can choose the inputs, it presumably resists attack
when the adversary can't choose the inputs.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list