[Cryptography] The Crypto Pi

[Jerry Leichter]

On Jan 26, 2015, at 8:07 AM, ianG <iang at iang.org> wrote:
> If a bit of entropy is touched or relied upon, then adding in another bit certainly overwhelms any reduction that might be imagined.  But because entropy is expensive this one-bit-equality leads to unreliable design (blocking), so it's a missed opportunity.
> 
> Meanwhile, from a security & attack perspective, there is a slightly more compelling argument that an attacker can copy the state at time N and roll it forward.  The "replace entropy after use" argument seems to mitigate that attack nicely.
That's actually not true.  If I can capture the state at time N, and then withdraw bits slowly - and you feed them back in slowly - then the system may never recover.  I wait for you to feed in 1 bit, then withdraw 1 bit. Half the time, on average, the single bit I got back tells me what bit was added.  If it doesn't, I draw another bit and play the same guessing game for what must have been added.  I quickly get to the point where there's only one possible set of inputs that would produce the output I saw - thus advancing my knowledge of the state.

That's why you should add "entropy" in large chunks, not dribble it in slowly.  (Or decide that this attack is uninteresting for any of a variety of perhaps-plausible reasons.)

While there is a real notion of entropy (several, in fact) and entropy is measured in bits, trying to use naive arguments to *count* bits of entropy is very dangerous.
                                                        -- Jerry