# Re: True Random Number Generator

*From*: bmearns <mearns.b@xxxxxxxxx>*Date*: Tue, 9 Feb 2010 19:31:07 -0800 (PST)

On Feb 9, 4:25 pm, Mok-Kong Shen <mok-kong.s...@xxxxxxxxxxx> wrote:

bmearns wrote:

It depends on your meaning of perfect security. Even with an OTP, it

is possible to guess the plaintext. It just so happens that the

ciphertext does not give you any information about it (except its

length). But yes, I suppose the security of an OTP is pretty closely

tied to entropy. What an OTP really does is eliminate all limiting

factors. In the general case, the key of a non-OTP cipher will be the

limiting case: it will have less entropy than anything else (except

for short messages), and is therefore the easiest to brute force. For

an OTP this is no longer the case, the key will never have less

entropy than the plaintext since they are the same length, and the key

has maximum entropy (1 Shannon per bit).

To your original point, however, it is not the entropy per symbol of

the ciphertext that provides security, even for an OTP. You could

perform your OTP and then encode each bit of encrypted output as an

ASCII description of the bit ("TRUE" or "FALSE). The entropy per bit

is going to drop dramatically (2 Shannons per 9 octets, about 0.11

Shannons per bit), but it is not less secure than if you left it in

binary. This is what you were missing when you were pointing out the

low per-symbol entropy contribution AES makes. The fact that each

octet of ciphertext only has (for instance) 0.00001 extra bits of

entropy compared to the input doesn't change the fact that the message

as a whole still has 128 more bits of entropy, and is therefore 2^128

times harder to guess.

The OTP xor-ed plaintext bits, i.e. a sequence of ciphertext bits, have

full entropy and have perfect security in a certain accepted definition

of crypto. My problem is this: An AES encrypted plaintext bits (let's

forget that they come originally from symbols), doesn't have perfect

security. Can't one view this fact from the view point that this is

because this sequence of bits doesn't have full entropy? If not, why not?

Thanks,

M. K. Shen

You're assuming causation where none is required. AES also generates

binary ciphertext, that doesn't mean that this is the reason it

doesn't have perfect security. Likewise, just because it doesn't have

maximum entropy doesn't mean this is necessarily the reason it isn't

perfectly secure.

-Brian

.

**Follow-Ups**:**Re: True Random Number Generator***From:*Mok-Kong Shen

**References**:**Re: True Random Number Generator***From:*jmorton123

**Re: True Random Number Generator***From:*bmearns

**Re: True Random Number Generator***From:*Richard Outerbridge

**Re: True Random Number Generator***From:*Mok-Kong Shen

**Re: True Random Number Generator***From:*Mok-Kong Shen

**Re: True Random Number Generator***From:*unruh

**Re: True Random Number Generator***From:*Mok-Kong Shen

**Re: True Random Number Generator***From:*bmearns

**Re: True Random Number Generator***From:*Mok-Kong Shen

**Re: True Random Number Generator***From:*bmearns

**Re: True Random Number Generator***From:*Mok-Kong Shen

- Prev by Date:
**Re: True Random Number Generator** - Next by Date:
**Re: True Random Number Generator** - Previous by thread:
**Re: True Random Number Generator** - Next by thread:
**Re: True Random Number Generator** - Index(es):