Re: True Random Number Generator

On Feb 9, 4:25 pm, Mok-Kong Shen <mok-kong.s...@xxxxxxxxxxx> wrote:
bmearns wrote:
It depends on your meaning of perfect security. Even with an OTP, it
is possible to guess the plaintext. It just so happens that the
ciphertext does not give you any information about it (except its
length). But yes, I suppose the security of an OTP is pretty closely
tied to entropy. What an OTP really does is eliminate all limiting
factors. In the general case, the key of a non-OTP cipher will be the
limiting case: it will have less entropy than anything else (except
for short messages), and is therefore the easiest to brute force. For
an OTP this is no longer the case, the key will never have less
entropy than the plaintext since they are the same length, and the key
has maximum entropy (1 Shannon per bit).

To your original point, however, it is not the entropy per symbol of
the ciphertext that provides security, even for an OTP. You could
perform your OTP and then encode each bit of encrypted output as an
ASCII description of the bit ("TRUE" or "FALSE). The entropy per bit
is going to drop dramatically (2 Shannons per 9 octets, about 0.11
Shannons per bit), but it is not less secure than if you left it in
binary. This is what you were missing when you were pointing out the
low per-symbol entropy contribution AES makes. The fact that each
octet of ciphertext only has (for instance) 0.00001 extra bits of
entropy compared to the input doesn't change the fact that the message
as a whole still has 128 more bits of entropy, and is therefore 2^128
times harder to guess.

The OTP xor-ed plaintext bits, i.e. a sequence of ciphertext bits, have
full entropy and have perfect security in a certain accepted definition
of crypto. My problem is this: An AES encrypted plaintext bits (let's
forget that they come originally from symbols), doesn't have perfect
security. Can't one view this fact from the view point that this is
because this sequence of bits doesn't have full entropy? If not, why not?


M. K. Shen

You're assuming causation where none is required. AES also generates
binary ciphertext, that doesn't mean that this is the reason it
doesn't have perfect security. Likewise, just because it doesn't have
maximum entropy doesn't mean this is necessarily the reason it isn't
perfectly secure.


Relevant Pages

  • Re: Encrypting random plaintests
    ... what the redundancy Rof the plaintext, the entropy Hof the ... encrypting a plaintext with R- for example, ... bits - every ciphertext block will be the same. ... transformation ensures indistinguishability ...
  • Re: Making a Science of Invincible Ignorance
    ... you select an OTP key by selecting individual letters of the ... that in an N-letter alphabet, the probability that the next letter ... The ciphertext is not meant to be random (where random means equal ... some suitable form of combining plaintext and key to yield ciphertext, ...
  • Re: Chosen plaintext attacks
    ... the plaintext you have the OTP stream. ... "The known-plaintext attack or crib is an attack model for ... "In cryptography, the one-time pad (OTP) is a type of encryption, ... the same length as the plaintext, resulting in a ciphertext. ...
  • Re: Encrypting random plaintests
    ... Goal is random plaintext strings. ... what the redundancy Rof the plaintext, the entropy Hof the ... bits - every ciphertext block will be the same. ...
  • Re: True Random Number Generator
    ... But the key has at most 128 bits of entropy. ... Isn't it a miracle that the resulting ciphertext stream (a result ... "after all" in comparison with the plaintext stream (the enhancement ... encryption that relates the security to the entropy of the ciphertext. ...