1

Are there any caveats to the claim that a cryptographic key of size $N$ bits and $N$ bits of entropy are equivalent?

Maarten Bodewes
  • 96,351
  • 14
  • 169
  • 323
matthewaveryusa
  • 145
  • 3

2 Answers2

7

Yes, there are caveats.

The key 982896e097fcb948df5c1dbf89e2e346133db001d9cc37aec4b64b6d8edee224 is 256 bits long but has zero bits of entropy to anyone who knows you are using it.

Suppose you designed a cryptosystem where every legitimate user's secret AES-256 key started with a 192-bit prefix known to you, the designer, which which you chose uniformly at random. To an adversary who doesn't have access to the system, the keys have 256 bits of entropy. But to you, each key has at most 64 bits of entropy. The United States government imposed this kind of requirement on Lotus in the international editions of its proprietary Lotus Notes software system in the 1980s, albeit with much smaller key sizes, back in the days when men were men and they all agreed that encryption was a munition used outside the United States only by terrorists and that 56 bits oughta be enough for anyone who's not a terrorist.

The number of bits in an RSA modulus may be 2048 (not counting the exponent bits, the private key, and any ASN.1 formatting or what-have-you to store it in a practical system), but it may reasonably be generated from a 256-bit seed.

Entropy is a property of a process or state of knowledge when the process or unknown may have many possible outcomes. For a cryptosystem to be useful, from the adversary's perspective, in the adversary's state of knowledge, the legitimate user's key has to have a distribution of possible values with a nonnegligible min-entropy, which is formally defined as $-\max_k \log p(k)$ where $k$ ranges over all possible keys and $p(k)$ is the probability of the key $k$. If the min-entropy is too small, then the adversary has a good chance of guessing the key on the first try.

But the length of the key is necessarily related to its entropy only in that the length in bits cannot be smaller than the entropy in bits, because you need to have at least $2^n$ possibilities in order to have an entropy of $n$ bits.

Community
  • 1
Squeamish Ossifrage
  • 49,816
  • 3
  • 122
  • 230
0

Also, specifically, please note about "export-grade" encryption.

128-bits keys were used but only 40-bits were really used because the rest were leaked on a side channel.

See also: what does "export grade" cryptography mean? and how this related to Logjam attack?

William Entriken
  • 171
  • 5