building a true RNG
David Wagner
daw at mozart.cs.berkeley.edu
Sat Jul 27 16:15:02 EDT 2002
John S. Denker wrote:
>Amir Herzberg wrote:
>> So I ask: is there a definition of this `no wasted entropy` property, which
>> hash functions can be assumed to have (and tested for), and which ensures
>> the desired extraction of randomness?
>
>That's the right question.
>
>The answer I give in the paper is
>
> What we are asking is not really very special. We
> merely ask that the hash-codes in the second
> column be well mixed.
Alas, that's not a very precise definition.
Actually, my intuition differs from yours. My intuition is that
entropy collection requires fairly strong assumptions about the hash.
For instance, collision-freedom isn't enough. One-wayness isn't enough.
We need something stronger, and something that appears difficult to
formalize in any precise, mathematically rigorous way.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list