Entropy and PRNGs
David Wagner
daw at cs.berkeley.edu
Mon Jan 10 15:34:12 EST 2005
John Denker writes:
>Well, of course indeed! That notion of entropy -- the entropy
>in the adversary's frame of reference -- is precisely the
>notion that is appropriate to any adversarial situation, as I
>have consistently and clearly stated in my writings;
[...]
>There is only one entropy that matters in an adversarial
>situation. The so-called "unconditional entropy" H(X) is
>merely a wild overestimate of the only thing that matters.
Ok. I see that you were already well aware of the point Ben Laurie
was making, and indeed it was obvious to you. Great.
But I have seen people for who this was definitely not obvious, and
who failed to recognize the distinction between the two concepts or
the need to use conditional entropy until it was pointed out to them.
I guess Ben's paper is going to be useful for them, but not for you.
>I imagine a smart person such as DAW should be able to come
>up with five schemes in five minutes whereby UUID generation
>can be delegated to virtually any machine that wants it.
>MAC(eth0) /concat/ local counter will do for scheme #1.
[...]
>Horsefeathers. For generating UUIDs, _zero_ entropy is
>sufficient, and no positive amount of entropy (unconditional
>or otherwise) can be called necessary.
You're right. I take it back. I accept your point about UUIDs.
There are schemes that avoid the need for randomness (entropy).
Thank you.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list