building a true RNG
David Wagner
daw at cs.berkeley.edu
Sun Jul 28 16:52:06 EDT 2002
> > Nitpick: You can sample from such a set. You can generate m randomx
> > values from this set with about 10m computations of SHA-1: simply pick
> > a random x, check whether SHA-1(x) has its first ten zeros, and if not
> > go back and pick another x until you find one that works.
>
> 1024m not 10m, surely?
Yes, sorry.
> Your point appears to be that its hard to justify in the standard
> "infinite computing power" model that maths likes to use, not that its
> generally hard to justify.
No, my point is stronger. It's hard to justify even in the standard
"security against computationally-bounded adversaries" model. I know
of *no* theoretically-rigorous justification for any practical entropy
sampling procedure without making unreasonable and untestable assumptions
about the input distribution, except in the random oracle model.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list