Re: True Random Number Generator

On Feb 9, 4:25 pm, Mok-Kong Shen <mok-kong.s...@xxxxxxxxxxx> wrote:
bmearns wrote:
It depends on your meaning of perfect security. Even with an OTP, it
is possible to guess the plaintext. It just so happens that the
ciphertext does not give you any information about it (except its
length). But yes, I suppose the security of an OTP is pretty closely
tied to entropy. What an OTP really does is eliminate all limiting
factors. In the general case, the key of a non-OTP cipher will be the
limiting case: it will have less entropy than anything else (except
for short messages), and is therefore the easiest to brute force. For
an OTP this is no longer the case, the key will never have less
entropy than the plaintext since they are the same length, and the key
has maximum entropy (1 Shannon per bit).

To your original point, however, it is not the entropy per symbol of
the ciphertext that provides security, even for an OTP. You could
perform your OTP and then encode each bit of encrypted output as an
ASCII description of the bit ("TRUE" or "FALSE). The entropy per bit
is going to drop dramatically (2 Shannons per 9 octets, about 0.11
Shannons per bit), but it is not less secure than if you left it in
binary. This is what you were missing when you were pointing out the
low per-symbol entropy contribution AES makes. The fact that each
octet of ciphertext only has (for instance) 0.00001 extra bits of
entropy compared to the input doesn't change the fact that the message
as a whole still has 128 more bits of entropy, and is therefore 2^128
times harder to guess.

The OTP xor-ed plaintext bits, i.e. a sequence of ciphertext bits, have
full entropy and have perfect security in a certain accepted definition
of crypto. My problem is this: An AES encrypted plaintext bits (let's
forget that they come originally from symbols), doesn't have perfect
security. Can't one view this fact from the view point that this is
because this sequence of bits doesn't have full entropy? If not, why not?


M. K. Shen

You're assuming causation where none is required. AES also generates
binary ciphertext, that doesn't mean that this is the reason it
doesn't have perfect security. Likewise, just because it doesn't have
maximum entropy doesn't mean this is necessarily the reason it isn't
perfectly secure.