[Cryptography] Entropy Needed for SSH Keys?

Ben Laurie ben at links.org
Mon May 23 17:07:32 EDT 2016


On 23 May 2016 at 05:13, David Johnston <dj at deadhat.com> wrote:
> On 5/22/16 6:18 PM, Kent Borg wrote:
>
>> Dammit, I can neither remember nor find that quote about how using a
>> deterministic process to make up random numbers is against nature, or grace,
>> or the universe. Like I say, I can't find it.
>
> While I'm gainfully employed as an RNG designer and general crypto security
> person, I hold the opinion that ignorance beats entropy.
>
> In one sense, ignorance of the state of a system can be equated to that
> system having entropy relative to the thing that is ignorant of the state of
> the system.
>
> However we tend to think of entropy as being an intrinsic thing, arising
> from underlying quantum uncertainty, rather than a relative thing.
>
> However we know we don't have a complete understanding of quantum physics or
> quantum uncertainty, whereas we know all about ignorance. You can rely on
> ignorance. If someone is ignorant of your key, the key works just fine in a
> crypto system that is intended to prevent that person undermining security
> in some way.
>
> Deterministic processes are just fine at taking samples from complex system
> and turning into a state that is hard to predict. While having 'full
> entropy' numbers that therefore have no algorithmic connection between them
> is a fine thing for random numbers, the whole concept of full entropy comes
> from the assumption that the randomness of quantum uncertainty is a real
> thing. If not. If the rules of the universe are actually deterministic then
> we have to fall back on ignorance of the state of complex systems in order
> to create unpredictable numbers.
>
> So in that sense, ignorance beats quantum uncertainty. You can rely on
> ignorance, but have to trust the assumption that quantum uncertainty is
> real.

Gotta say, I really like this analysis.

> If you make your crypto system such that it's secure providing either one of
> ignorance of a complex system state or quantum uncertainty is true, then the
> assumptions on which the security of the system are based will be more
> robust.

Why limit yourself to these two possibilities?


More information about the cryptography mailing list