building a true RNG
David Wagner
daw at mozart.cs.berkeley.edu
Tue Jul 30 15:06:17 EDT 2002
Amir Herzberg wrote:
>But there's a big difference: the random oracle `assumption` is clearly not
>valid for SHA-1 (or any other specific hash function).
Well, the random oracle model has problems, but I think those problems
are a bit more subtle than just an assumption that is true or false.
>So the question is again: what is an assumption which we can test SHA-1
>against, and which is sufficient to make the `entropy crunching alg` secure?
Hmm; I thought I answered this before. Was it unclear? If so, please
ask. In any case, here's a summary. In the standard model (without
random oracles), there is *no* such assumption. There's no hope for
finding such an assumption, if you want to build a general-purpose
entropy cruncher that works for any distribution on the input samples.
One can prove this. No matter what function you choose, there is an
input distribution that makes this function inadequate.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list