building a true RNG
David Wagner
daw at mozart.cs.berkeley.edu
Mon Jul 29 14:30:38 EDT 2002
Sandy Harris wrote:
>I think the interesting question is whether, for M-bit hash inputs,
>and an N-bit hash, with a lower bound Q on entropy per input batch,
>so M > Q > N, we can show, as I think Denker is claiming to have done,
>that the entropy of hash(M) must be > N - epsilon, for some epsilon
>small enough to ignore.
The result you want should follow in the random oracle model. (Of course,
there is no proof that SHA1 is well-approximated by the random oracle
model, though it is a common assumption.)
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list