[Cryptography] Entropy is forever ...

Thu Apr 23 00:20:01 EDT 2015

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/22/2015 02:10 PM, Ray Dillinger wrote:

> The use of "entropy" to denote unpredictability in CSPRNG's
> and other cryptographic numbers has always been problematic.
> 
> It's a physics concept that isn't really all that well mapped
> to what we're using the word for.

I reckon that's true in context, but to be more general
and more methodical we ought to specify what "we" are
using the word for.

Surely entropy is not the answer to all the world's
questions ... but it is the answer to some questions,
including some ultra-fundamental ultra-practical
questions.

The operation of every cryptosystem I know of depends
critically on randomly-distributed numbers.  If we get 
that from a CSPRNG, we care about the computational
strength of the algorithm, but we also care a great
deal about the seed.  If the seed comes from another
CSPRNG, it reduces to the problem previously not
solved:  where does the seed come from?  The only
way to escape the loop is to obtain a seed with real
entropy.  Physics is required.  You can't do it with
algorithms alone, as von Neumann pointed out in 1947
... but you can do it with physics.

The average cryptographer doesn't need to worry about
it on a day-to-day basis, but the fact remains:   If 
you follow the chain far enough, every cryptosystem 
I can imagine depends on a number of things, one of 
which is physics, more specifically thermodynamics.
   (Thermo includes quantum statistical mechanics.
   Often the classical limit is more than good 
   enough, by a wide margin, but we can handle
   the general case if we want.)

Do not take your random numbers for granted!  It is
not by accident that the NSA decided to subvert
random number generation via NIST SP 800-90.  If
you can break the RNG, you can break everything.

> Entropy in physics follows a different model from the
> rather peculiar "physics" of how it is conserved and
> distributed in cryptographic systems.

I vehemently disagree.  Entropy is entropy.  It is
not the answer to all the world's questions;  in
many cases it is not even the right way to frame 
the question.  So use a different term already!
Something can be 100% random in the sense of a
CSPRNG yet still have very nearly 0% entropy
density.  The physics entropy *is* the crypto
entropy;  it's just not (usually) the relevant
measure of randomness.

> I trust a CSPRNG with a "good" algorithm
> and 16Kbytes of state unknown to and unpredictable by
> an attacker, to remain absolutely secure for any practical
> length sequence of bits without further input.

That's fine, but how do we convince ourselves that
the state is unknown and unpredictable?  I strongly
recommend obtaining seeds from a good HRNG.

> Anyway the conservation laws are very different for
> cryptographic entropy than they are for physics entropy,
> so probably using a different word such as "surprisal"
> would be less misleading.

Entropy is one thing.
Surprisal is another.
Randomness is yet another.

The only rule is, say what you mean, and mean what
you say.  If you mean randomness, say "randomness",
not entropy.