Sandy Harris wrote: >I think the interesting question is whether, for M-bit hash inputs, >and an N-bit hash, with a lower bound Q on entropy per input batch, >so M > Q > N, we can show, as I think Denker is claiming to have done, >that the entropy of hash(M) must be > N - epsilon, for some epsilon >small enough to ignore.
The result you want should follow in the random oracle model. (Of course, there is no proof that SHA1 is well-approximated by the random oracle model, though it is a common assumption.) --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
