[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: why compression doesn't perfectly even out entropy
In a message dated 96-04-18 15:05:51 EDT, Perry Metzger writes:
>Before making pronouncements like "You are still OK" you ought to
>learn a bit more about cryptanalysis. Its tiny little statistical
>toeholds like that which permit breaks. I don't know for sure, but my
>intuition says that there may very well be instances in which a couple
>of little nicks like that into the entropy of a key are sufficient to
>radically lower the time to crack something. Since there are far
>better techniques available (hash distillation, for instance) for
>assuring the quality of a random stream, Jon's suggested techniques
>should be regarded as unnecessary and dangerous.
[Slightly ad hominem PSA deleted]
1. If "cooking" a byte sequence in a manner that reduces its maximum entropy
by less than 1% allows an attacker to break your cryptosystem, then it is
crap to begin with. With only a little more effort, he could break it
anyway.
2. All I was trying to say was that applying cooking technique X to a byte
sequence will reduce the maximum entropy of the sequence by a factor of Y;
adjust entropy expectations accordingly. I said nothing about the origin of
the byte sequence, the techniques used to generate it, or the exact method
for "cooking" it. I did not recommend against using hash distillation,
hardware RNG's, or any other commonly accepted method of generating
cryptographically useful random or pseudo-random numbers.
Jonathan Wienke