entropy depletion (was: SSL/TLS passive sniffing)

John Kelsey kelsey.j at ix.netcom.com
Fri Jan 7 12:40:39 EST 2005


>From: John Denker <jsd at av8n.com>
>Sent: Jan 5, 2005 2:06 PM
>To: Enzo Michelangeli <em at em.no-ip.com>
>Cc: cryptography at metzdowd.com
>Subject: Re: entropy depletion (was: SSL/TLS passive sniffing)

...
>You're letting your intuition about "usable randomness" run roughshod over
>the formal definition of entropy.  Taking bits out of the PRNG *does*
>reduce its entropy.  This may not (and in many applications does not)
>reduce its ability to produce useful randomness.

Right.  The critical question is whether the PRNG part gets to a secure state, which basically means a state the attacker can't guess in the amount of work he's able to do.   If the PRNG gets to a secure state before generating any output, then assuming the PRNG algorithm is secure, the outputs are indistinguishable from random.  

The discussion of how much fresh entropy is coming in is sometimes a bit misleading.  If you shove 64 bits of entropy in, then generate a 128-bit output, then shove another 64 bits of entropy in, you don't end up in a secure state, because an attacker can guess your first 64 bits of entropy from your first output.  What matters is how much entropy is shoved in between the time when the PRNG is in a known state, and the time when it's used to generate an output.  

--John Kelsey

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list