John S. Denker wrote: >Amir Herzberg wrote: >> So I ask: is there a definition of this `no wasted entropy` property, which >> hash functions can be assumed to have (and tested for), and which ensures >> the desired extraction of randomness? > >That's the right question. > >The answer I give in the paper is > > What we are asking is not really very special. We > merely ask that the hash-codes in the second > column be well mixed.
Alas, that's not a very precise definition. Actually, my intuition differs from yours. My intuition is that entropy collection requires fairly strong assumptions about the hash. For instance, collision-freedom isn't enough. One-wayness isn't enough. We need something stronger, and something that appears difficult to formalize in any precise, mathematically rigorous way. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
