Entropy and PRNGs
John Denker
jsd at av8n.com
Mon Jan 10 14:28:01 EST 2005
John Kelsey wrote:
>
> If your attacker (who lives sometime in the future, and may
> have a large budget besides) comes up with a better model to
> describe the process you're using as a source of noise, you
> could be out of luck. The thing that matters is H(X| all
> information available to the attacker), which is based on P(X
> | all information available to the attacker), which includes a
> model that may be better than yours.
I disagree. For the sources of entropy that I consider
real entropy, such as thermal noise, for a modest payoff I'd
be willing to bet my life -- and also the lives of millions
of innocent people -- on the proposition that no adversary,
no matter how far in the future and no matter how resourceful,
will ever find in my data less entropy than I say there is.
(For instance, under suitable conditions I might say that
there's 159.98 bits of entropy in a 160-bit word.)
Of course I'd want to make approriate checks for implementation
errors, but in principle the entropy is there and the adversary
can't make it go away. Some guy named Shannon had something to
say about this.
> But I think it's of practical value to consider the different
> attackers whose information might not include some information
> you use for seeding a PRNG. Some sources of entropy, such as
> packet arrival times, are not worth much for attackers on your
> local network who are attacking you in real time, but are
> quite valuable against attackers who attack you later. Other
> sources of entropy, such as the hash of the contents of your
> Windows registry, or a full directory tree from your hard
> drive, are worthwhile against real-time attackers without
> access to your machine, but worthless against attackers with
> your machine in their hands.
Can you please exhibit a nonzero lower bound on the entropy
content of the windows registry? If not, please don't call
it entropy.
In particular, I ask you to consider the case of mass-produced
network appliances as mentioned at
http://www.av8n.com/turbid/paper/turbid.htm#sec-prng-attack
and consider whether, registry or no registry, the boxes will
be waaay too much alike.
In ordinary situations, the windows registry is constructed
by strictly deterministic processes. No entropy. If your
adversaries are so lame that they cannot figure out how the
registry is constructed, you're living in some kind of paradise.
> Differentiate between measures of entropy. Collision entropy ...
Let's stay on-topic.
There is only one measure of entropy appropriate to a random
symbol generator. If I am unable in principle to predict
the output of my HESG, then under mild assumptions that's
what I call entropy.
By mild assumptions I mean things like assuming my
machine has not been taken over by the attacker. This
assumption is of course common to *all* discussions
of security algorithms and principles. I mention it
only to fend off nit-picks. There's not much point in
discussing algorithm "A" if you're going to turn around
and tell me your box might be implementing some other
algorithm.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list