Re: Whirlpool 512-bit collisions?

In article <d8ulot$e7b$1@bananasplit.info>,
fleegle.bananasplit.info <a__l__a__n@hotmail.com> wrote:
>Gregory G Rose wrote
>> Assuming that the hash function acts as a perfect
>> random function, about 1/e ~= 0.37 of the
>> possible outputs won't appear. Some other outputs
>> appear more than once. The loss of entropy is a
>> small fraction of a bit, pretty much independent
>> of the size of the hash.
>>
>> (Note that the probability of a collision is also
>> not 2^-512 (or whatever) for exactly the same
>> reason. But it's a perfectly good approximation.)
>
>So entropy is reduced by 1/e (a little less than half, which is a little
>less than one bit of entropy) due to the fact that certain 512-bit values
>never occur.
>
>Entropy is further reduced because the 512 bit values which DO occur are not
>all equally probable, since some of them result from more than one of the
>possible inputs. Perhaps some even occur from more than two of the possible
>inputs, etc.
>
>My intuition tells me we are probably talking about losing on the order of
>one bit of entropy, bottom line. But I'm not quite ready to trust my
>intuition....

Once upon a time I calculated it, by enumeration
for a bunch of small hashes. My memory tells me
that it was about half a bit. But I can no longer
find the code. I'm sure there's actually a known
theoretical value, too, but it's beyond me to get
that. But it can't be as much as a whole bit,
because that would imply that you could represent
all the outputs in an n-1-bit field, which clearly
isn't going to work.

Greg.

-- 
Greg Rose
232B EC8F 44C6 C853 D68F  E107 E6BF CD2F 1081 A37C
Qualcomm Australia: http://www.qualcomm.com.au