passphrases with more than 160 bits of entropy

John Denker jsd at av8n.com
Wed Mar 22 21:11:02 EST 2006 

Matt Crawford wrote:

> I so often get irritated when non-physicists discuss entropy.  The  word 
> is almost always misused. 

Yes, the term "entropy" is often misused ... and we have seen some
remarkably wacky misusage in this thread already.  However, physicists
do not have a monopoly on correct usage.  Claude S was not a physicist,
yet he definitely knew what he was talking about.  Conversely, I know
more than a few card-carrying physicists who have no real feel for what
entropy is.

> I looked at Shannon's definition and  it is 
> fine, from a physics point of view.  

Indeed.

> But if you apply  thoughtfully to a 
> single fixed sequence, you correctly get the answer  zero.

I agree with all that, except for the "But".  Shannon well knew that
the entropy was zero in such a situation.

> If your sequence is defined to be { 0, 1, 2, ..., 255 }, the  
> probability of getting that sequence is 1 and of any other sequence,  
> 0.  Plug it in.

Indeed.

> If you have a generator of 8-bit random numbers and every sample is  
> independent and uniformly distributed, and you ran this for a  gazillion 
> iterations and wrote to the list one day saying the special  sequence { 
> 0, 1, 2, ..., 255 } had appeared in the output, that's a  different 
> story.  But still, we would talk about the entropy of your  generator, 
> not of one particular sequence of outputs.

Yes.  Shannon called it the "source entropy", i.e. the entropy of
the source, i.e. the entropy of the generator.


Perry Metzger wrote:

>> Usually, the best you can do is produce (bad) bounds, and sometimes
>> not even that.

Huh?  What's your metric for "usually"?  I'll agree as a matter of
principle that whatever you're doing, you can always do it wrong.
But that doesn't prevent me from doing it right.  I can use physics
to produce good bounds, that is,
   http://www.av8n.com/turbid/



=======================

The problem posed by the OP is trivial, and good solutions have already
been posted.  To recap: SHA-512 exists, and if that isn't good enough,
you can concatenate the output of several different one-way functions.
You can create new hash functions at the drop of a hat by prepending
something (a counter suffices) to the input to the hash.

Example:  result = hash(1 || pw)  ||  hash(2 || pw)  ||  hash(3 || pw)


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list