[Cryptography] Entropy is forever ...

Thierry Moreau thierry.moreau at connotech.com
Sun Apr 19 09:23:52 EDT 2015

On 04/17/15 18:59, John Denker wrote:
> On 04/17/2015 10:26 AM, Thierry Moreau wrote:
>> The central question is this problem. A system is booted
>> and receives 2000 bits of true randomness (i.e. a 2000 bits
>> message from a source with 2000 bits of entropy) that are
>> used to seed a cryptographic PRNG having an internal state
>> of 2000 bits. This PRNG is used to generate 4 RSA key pairs
>> with moduli sizes of 2400 bits. The private keys are kept
>> secret until their use in their respective usage contexts.
>> No data leak occurred during the system operation. After
>> the key generation, the system memory is erased. What is
>> the proper entropy assessment for each of the RSA key pairs
>> (assume there are 2^2000 valid RSA moduli for a moduli size
>> of 2400 bits, a number-theoretic assumption orthogonal to
>> the entropy question)?
>> My answer is that each of the 4 RSA key pairs are independently
>> backed by 2000 bits of entropy assurance.
> No, because they are not /independent/.  (Sometimes
> it may be computationally infeasible to exploit the
> dependence, but that's a separate question.)

In the question I asked, the computational independence is

> Suppose I prepare a one-time pad consisting of a sample
> of 2000 random bits.  I print it once on red paper, and
> print the same thing on blue paper.  I give you one of
> them.  That gives you 2000 bits of information you wouldn't
> otherwise have.  Then if I give you the other one, that
> gives you zero additional information.

In the question I asked, the two disclosures are distinct
one-way transformations of the common 2000 bit sample.

You may even explicitly consider the case where the
two disclosures are to distinct parties (the RSA key pairs
"usage context" was unspecified).

>    https://www.av8n.com/physics/thermo/entropy.html

Thermodynamics ...

Well, you may blame my incompetence for my unwillingness
to follow this route.

> _______________________________________________
> The cryptography mailing list
> cryptography at metzdowd.com
> http://www.metzdowd.com/mailman/listinfo/cryptography

More information about the cryptography mailing list