[Pkg-sysvinit-devel] fundamental properties of entropy

John Denker jsd at av8n.com
Thu Sep 16 03:22:05 UTC 2010


a) Suppose I shuffle a deck of cards, and ask you to figure
out the order of the cards.  The entropy in this situation
is the logarithm of 52 factorial, which is just under 226
bits.  You can figure out the order by asking 226 yes/no
questions.

b) Suppose I prepare two decks of cards by shuffling one
and then stacking the other into the exact same configuration.
If we throw away deck #1, the entropy of deck #2 is 226 bits.
If we throw away deck #2, the entropy of deck #1 is 226 bits.
The situation is symmetrical with respect to which deck is
which.  Last but not least, if we keep both decks, the entropy 
of both of them together is 226 bits.

This proves that entropy is not an extensive quantity.  It is
context-dependent.

Some people find this confusing or even disturbing, but it is
a well-established fact of nature.  For details on all this,
see
 http://www.av8n.com/physics/thermo/entropy.html#sec-card-game

=========

In another thread, on 09/15/2010 01:29 PM, Henrique de Moraes 
Holschuh wrote in part:

> Part 1: enough stored entropy to use as "seed material" (4Kib for Linux)
> that is unknown to the attacker.
> 
> Part 2: something that is unique to this specific device among all others.
> 
> Part 3: something that is provably different each time this specific device
> is rebooted, i.e. each time there has been an irreversible loss of state.

There are two possibilities: 

a) If the stored material in Part 1 is unique on a per-machine 
 basis, Part 2 is pointless.

b) If the stored material in Part 1 is cloned from machine to
 machine, this doesn't make sense, because it is not entropy.
 Calling it "stored entropy" does not make it so.  It is not
 entropy and it is not secure.  Adding Part 2 and/or Part 3
 cannot make it secure.

So, either way, the overall three-part proposal does not make
sense.

There is a fundamental principle in the cryptography / security
business says that you cannot make something secure by throwing
together a whole bunch of insecure elements.  You can make it
complicated, but you cannot make it secure.  This has been
discussed and documented, in connection with RNGs and otherwise,
in various places including Knuth _TAoCP_ 

=====

I started a new thread because I am happy to have a wide-ranging
discussion of fundamental principles of security, cryptology,
and physics ... but I don't want it to be mistaken for a review 
of the recently-submitted patches.

I reckon that understanding the fundamental properties of
entropy may be a prerequisite for reviewing the patches, but 
it is not the same thing.



More information about the Pkg-sysvinit-devel mailing list