Re: entropy depletion (was: SSL/TLS passive

>From: John Denker <jsd@xxxxxxxx>
>Sent: Jan 5, 2005 2:06 PM
>To: Enzo Michelangeli <em@xxxxxxxxxxxx>
>Cc: cryptography@xxxxxxxxxxxx
>Subject: Re: entropy depletion (was: SSL/TLS passive sniffing)

>You're letting your intuition about "usable randomness" run roughshod over
>the formal definition of entropy. Taking bits out of the PRNG *does*
>reduce its entropy. This may not (and in many applications does not)
>reduce its ability to produce useful randomness.

Right. The critical question is whether the PRNG part gets to a secure state,
which basically means a state the attacker can't guess in the amount of work
he's able to do. If the PRNG gets to a secure state before generating any
output, then assuming the PRNG algorithm is secure, the outputs are
indistinguishable from random.

The discussion of how much fresh entropy is coming in is sometimes a bit
misleading. If you shove 64 bits of entropy in, then generate a 128-bit
output, then shove another 64 bits of entropy in, you don't end up in a secure
state, because an attacker can guess your first 64 bits of entropy from your
first output. What matters is how much entropy is shoved in between the time
when the PRNG is in a known state, and the time when it's used to generate an

--John Kelsey

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@xxxxxxxxxxxx