[openssl-project] Entropy seeding the DRBG

Kurt Roeckx kurt at roeckx.be
Tue May 1 08:43:17 UTC 2018

On Tue, May 01, 2018 at 06:09:13AM +0200, Richard Levitte wrote:
> In message <20180430162209.GA4439 at roeckx.be> on Mon, 30 Apr 2018 18:22:09 +0200, Kurt Roeckx <kurt at roeckx.be> said:
> kurt> On Mon, Apr 30, 2018 at 06:00:20PM +0200, Richard Levitte wrote:
> kurt> > 
> kurt> > So I'd like to have it confirmed that I'm reading this right, that's
> kurt> > about 0.08 entropy bits per 8 data bits?  Or is it per data bit?
> kurt> 
> kurt> Per symbol, being 8 bits for what you provided.
> kurt> 
> kurt> > Depending on the interpretation, we either have 1 bit of entropy per
> kurt> > 12 data bits...  or per 100 data bits...  The latter has my heart
> kurt> > sinking...
> kurt> 
> kurt> It's per 100 bits, and that's really still an overestimate. One
> kurt> of the models they used was able to predict it that well.
> That well?  I'm not sure I understand, the final min-entropy value is
> the *lowest* of all different estimates.  Also, I'm not sure what
> makes you say it's an overestimate...  are you simply speculating?

Those are all just tests to see how easy it is to predict the
next value, but that really don't know anything about the data. It
might be possible to generate a better predictor, one that has an
even lower min-entropy value. That is why you should not rely on
the tool to give you a good min-entropy value, it just shows that
the maximum of the real value is the minimum reported by the tool.

If you actually follow SP800-90B, you should make a theoretical
model of how much entropy you expect, and then use the tool
to verify that your model is correct.


More information about the openssl-project mailing list