[Cryptography] The Crypto Pi

Ray Dillinger bear at sonic.net
Sun Jan 25 14:50:11 EST 2015



On 01/25/2015 09:46 AM, Ralf Senderek wrote:
> On Sun, 25 Jan 2015 17:41:35 Ben Laurie wrote:
> 
>> My point is I don't believe that entropy_avail really represents a
>> useful measurement.
> 
> Okay, is there an alternative?
> If entropy_avail is misleading, we're shooting in the dark while trying to
> find out how much entropy is in a chunk of bytes read from /dev/random.
> 

The problem with the idea of a single entropy_avail figure is
that "entropy" means information unknown to all opponents, and
different opponents, at least theoretically, may have access
to different parts of your state.

If you have 128 bits known to your hardware manufacturer, 128
bits known to the NSA, 128 bits known to your ISP, and 128 bits
known to MI6, then you have 384 bits of effective entropy against
*EVERY* opponent on the list *UNLESS* they are sharing information
with each other. If any three of them are sharing information you
still have 128 bits of effective entropy against those three.
But if you're aware that any given entropy source could be tapped
by one of them, you can't count anything at all toward entropy_avail.

The question of how much entropy you effectively have is largely
a question of how many sources you get it from and whether any
single opponent has access to *ALL* of those sources.  Many
sources of entropy at least some of which are local is
*drastically* more secure than any single source of entropy
no matter its apparent quality, because its apparent quality
could be a sham or turn out to not be so great in a way an
opponent will eventually figure out.

				Bear





-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150125/e13fde94/attachment.sig>


More information about the cryptography mailing list