Randomness

以這種方式編碼熵是否安全?

  • January 31, 2017

我一直在分析軟體的原始碼,並且遇到了這個編碼片段,我想知道以這種方式編碼熵源是否安全。

所以熵源是一個 132bit 的隨機源,採用整數格式,所以i是一個包含 132bits 隨機性的整數:

def mnemonic_encode(self, i):
   n = len(self.wordlist)
   words = []
   while i:
       x = i%n
       i = i/n
       words.append(self.wordlist[x])
   return ' '.join(words)

n是包含 2048 個單詞的字典的長度,並且最初n=2048 因此我們試圖將熵的初始源轉換為 X 個單詞,剩下的一個被切掉。

So in our case of 132 bit input, it will be converted into 12 words log_2(2048)*12 = 132, if it were 133 bits, then I guess we would have 13 words, however the last word would have only 1 bit of entropy instead of 11.

Similarly it decodes the words like this:

def mnemonic_decode(self, seed):
   n = len(self.wordlist)
   words = seed.split()
   i = 0
   while words:
       w = words.pop()
       k = self.wordlist.index(w)
       i = i*n + k
   return i

And it should return the same i after decoding as the initial i was after encoding.

Now I have run this code in python, and from a programming standpoint it should be correct, however I want to know that from a cryptographical standpoint it’s Ok too?

Source: https://github.com/spesmilo/electrum/blob/master/lib/mnemonic.py

如果您擔心“失去資訊”(例如,這用於生成對人類友好的密碼),這應該沒問題,因為編碼是單射的——這已經從它是可逆的事實得出。 (但是,如果目標是讓數字保密,不讓某人接觸到單詞列表,那就是另一回事了。請注意,這種方法作為“加密”方案並不安全!)

通常,**單射函式保留熵。**證明很簡單:讓 $ X\colon\Omega\to A $ 是離散隨機變數和 $ f\colon A\to B $ 一個單射函式。然後,熵的定義狀態為:(與約定 $ \log_20=0 $ )

$$ H(f(X)) = \sum_{b\in B} -\Pr[f(X) = b]\cdot\log_2\Pr[f(X) = b] \text. $$ 因為只有條款與 $ b\in f(A) $ 對總和做出貢獻,並且由於每個這樣的[Math Processing Error] $ b $ 具有獨特的原像[Math Processing Error] $ a $ 在下面[Math Processing Error] $ f $ ,我們可以將其重寫為 $$ H(f(X)) = \sum_{a\in A} -\Pr[X=a]\cdot\log_2\Pr[X=a] \text, $$ 這恰好是熵[Math Processing Error] $ X $ .

引用自:https://crypto.stackexchange.com/questions/43416