> > Nitpick: You can sample from such a set. You can generate m randomx > > values from this set with about 10m computations of SHA-1: simply pick > > a random x, check whether SHA-1(x) has its first ten zeros, and if not > > go back and pick another x until you find one that works. > > 1024m not 10m, surely?
Yes, sorry. > Your point appears to be that its hard to justify in the standard > "infinite computing power" model that maths likes to use, not that its > generally hard to justify. No, my point is stronger. It's hard to justify even in the standard "security against computationally-bounded adversaries" model. I know of *no* theoretically-rigorous justification for any practical entropy sampling procedure without making unreasonable and untestable assumptions about the input distribution, except in the random oracle model. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]