[11218] in cryptography@c2.net mail archive
Re: building a true RNG
daemon@ATHENA.MIT.EDU (John S. Denker)
Sat Jul 27 15:49:54 2002
Date: Sat, 27 Jul 2002 14:39:06 -0400
From: "John S. Denker" <jsd@monmouth.com>
To: amir@herzberg.name
Cc: cryptography@wasabisystems.com
Amir Herzberg wrote:
>
> So I ask: is there a definition of this `no wasted entropy` property, which
> hash functions can be assumed to have (and tested for), and which ensures
> the desired extraction of randomness?
That's the right question.
The answer I give in the paper is
A cryptologic hash function advertises that it is
computationally infeasible for an adversary to unmix
the hash-codes.
A chosen-plaintext (chosen-input) attack will not
discover inputs that produce hash collisions with
any great probability.
In contrast:
What we are asking is not really very special. We
merely ask that the hash-codes in the second
column be well mixed.
We ask that the data acquisition system will not
accidentally produce an input pattern that unmixes
the hash-codes.
We believe that anything that makes a good pretense of being
a cryptologic hash function is good enough for our purposes,
with a wide margin of safety. If it resists attack when the
adversary can choose the inputs, it presumably resists attack
when the adversary can't choose the inputs.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@wasabisystems.com
