entropy depletion
Zooko O'Whielacronx
zooko at zooko.com
Sat Jan 8 06:12:40 EST 2005
I would love to have an information-theoretic argument for the security
of my PRNG, but that's not what we have, and I don't think reducing the
entropy_count by one bit per output bit gets us any closer to such an
argument.
For starters, the entropy_count value before you output the bit is
obviously not a measure of the real information-theoretic entropy in
the PRNG's state. It is a guess implemented by a simple algorithm (the
"entropy estimator"). So if we set the resulting entropy_count after
outputting one bit to be equal to the previous entropy_count - 1, we
really have no justification for thinking that the resulting
entropy_count is any closer to the true information-theoretic entropy
than if you had set it equal to the previous entropy_count - 2.
On the other hand, I've haven't heard an information-theoretic argument
that the output bit contains a whole bit of entropy. There is a nice
practical-cryptography argument that an observer gains a whole bit of
information from seeing that output bit, but in pure
information-theoretic terms an observer gains less than one bit of
information from seeing that output. So perhaps when you output a bit
from /dev/random you ought to decrement entropy_count by 0.9 instead?
In general, I've heard no persuasive information-theoretic argument to
justify the practice of decrementing the entropy_count by 1 bit per
bit. If that practice does indeed ever protect someone from a
cryptanalytic attack on their PRNG, it will not be because the practice
is Information Theoretically Correct, but because the
entropy_count-bits-added-per-input-bit minus the
entropy_count-bits-subtracted-per-output-bit were an engineering fudge
factor that was turned up high enough to drown out the cryptanalytic
weakness in the PRNG.
Of course using such a fudge factor has some other costs, including the
cost of introducing new security risks. I estimate that the chance of
a successful attack due to timing attacks, induced failure, taking
advantage of accidental failure, social engineering, etc. outweighs the
chance of a successful attack due to cryptanalysis of the PRNG, which
is why I use /dev/urandom exclusively [*, **]. You may weigh those
trade-offs differently, but you shouldn't think that by decrementing
entropy_count you are achieving information-theoretic security.
Regards,
Zooko
[*] Of course I have to be aware of the regrettable possibility that
/dev/urandom has *never* been properly seeded and protect against that
in user space.
[**] ... and the possibility that the operating system is re-using
stored random state which it already used just before an unclean
shutdown.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list