3
$\begingroup$

I am new to cryptography and I am trying to find a way to measure ciphertext entropy of encryption algorithms such as AES, Chacha20, etc for a school project. Is there any way to do it on Python? I read that the scipy library has a section for measuring entropy but I have no idea if this is recommended or even usable.

Also, do we have any standard or baseline for an encryption algorithm regarding its entropy?

Improve this question
$\endgroup$
1
  • 3
    $\begingroup$ Please specify what you believe Ciphertext Entropy denotes, citing one or more references you rely on. Here's a thought experiment. Consider cleartexts A, B, C corresponding to 1 followed by a handful of zeros, or a thousand, or a billion of them. Do their entropies significantly differ? No. They have much less than one bit of entropy per bit of cleartext. Now consider their rot13 and AES encryptions (using a well-chosen AES key). Are they distinguishable from random? The rot13 ciphertexts certainly are. Do the ciphertexts have high entropy? No. $\endgroup$
    – J_H
    Commented Oct 22, 2023 at 0:42

1 Answer 1

Reset to default
5
$\begingroup$

Ciphers are deterministic. As such there is no such thing as "ciphertext entropy". Given a certain key, IV, and plaintext you should always get the same ciphertext. If neither of those elements contains entropy then no entropy is in the ciphertext; it may look randomized but that's not the same thing.

AES by itself is not a generic cipher, it is a block cipher and considered a primitive. A primitive can be used to build generic ciphers and other cryptographic functions. A generic cipher should be able to encrypt arbitrary messages up to a certain size. It should at least be IND-CPA, indistinguishable under the chosen plaintext. As the block cipher itself only encrypts blocks (ECB) it is not considered to be IND-CPA; if the attacker guesses the correct message then the oracle will provide the same ciphertext, making it distinguishable.

Say that we have a cipher such as that provided by AES in a secure mode of operation or the ChaCha20 stream cipher scheme. In that case, it may retain the entropy provided in the key and - to a lesser extend - the IV. However, it would be hard to say how much is retained. If you use a keyed cipher to encrypt a single bit then obviously most of the entropy is lost.

In general, there is no real way to measure entropy if it may have passed through a pseudo random function. There are ways to see if a large amount of ciphertext is indistinguishable from random. For that, you can see e.g. the die-harder tests. But those tests cannot distinguish pseudo random sequences from true random sequences and are unsuitable to test for entropy for that reason alone. You could these tools on a known entropy source to estimate the amount of entropy - but a cipher is not an entropy source.

There is a lot of discussion on this site on what entropy actually is. There are several definitions such as Shannon entropy and min-entropy. I'd say that this is an advanced subject that may not be that suitable for a school project.

Improve this answer
$\endgroup$
6
  • $\begingroup$ Thank you so much for the clarification I appreciate the help. A follow up question though, since there is no real way to measure entropy and it is not recommended to measure entropy in ciphers such as AES and Chacha20, is there any way we can measure the effectiveness of a cipher based on it's ciphertext? or is there a value we can measureto have a representation of how much the ciphertext differs from the plaintext thereby formulating an implied effectiveness of a given cipher? $\endgroup$
    – Jake
    Commented Oct 22, 2023 at 13:17
  • 2
    $\begingroup$ "any way we can measure the effectiveness of a cipher based on it's ciphertext" Not really. Even terrible ciphers can meet the requirements of "looking random" even for tools like die-harder. Easy to see: use a non-secure but well distributed PRNG (e.g. the Mersenne Twister) and use that as stream cipher. This insight also defeats the measuring you propose. You may want to look into "Linear Cryptanalysis" as an attack strategy. $\endgroup$
    – Maarten Bodewes
    Commented Oct 22, 2023 at 13:25
  • $\begingroup$ (not particularly to attack it, but the security of a cipher is basically the security it offers in bits against the most effective attack) $\endgroup$
    – Maarten Bodewes
    Commented Oct 22, 2023 at 13:27
  • $\begingroup$ @MaartenBodewes Err, are you sure about "no real way to measure entropy" of decent cipher text (perhaps ~ 1 bit/bit). Or are you referencing measurement of Kolmogorov complexity? $\endgroup$
    – Paul Uszak
    Commented Oct 22, 2023 at 22:34
  • 1
    $\begingroup$ Computing the entropy can be done if you fix the probability distribution of keys, messages and IVs. Like Maarten mentions in his answer, ciphertexts are deterministic functions of (key, msg, IV), so you could compute the probability distribution over ciphertexts and its entropy. Measuring entropy (e.g. from experiments) is much more difficult since you need to approximate the probability distribution from empirical observations. See this for example. $\endgroup$
    – lamontap
    Commented Oct 25, 2023 at 14:19

Not the answer you're looking for? Browse other questions tagged or ask your own question.