passphrases with more than 160 bits of entropy
John Denker
jsd at av8n.com
Wed Mar 22 21:11:02 EST 2006
Matt Crawford wrote:
> I so often get irritated when non-physicists discuss entropy. The word
> is almost always misused.
Yes, the term "entropy" is often misused ... and we have seen some
remarkably wacky misusage in this thread already. However, physicists
do not have a monopoly on correct usage. Claude S was not a physicist,
yet he definitely knew what he was talking about. Conversely, I know
more than a few card-carrying physicists who have no real feel for what
entropy is.
> I looked at Shannon's definition and it is
> fine, from a physics point of view.
Indeed.
> But if you apply thoughtfully to a
> single fixed sequence, you correctly get the answer zero.
I agree with all that, except for the "But". Shannon well knew that
the entropy was zero in such a situation.
> If your sequence is defined to be { 0, 1, 2, ..., 255 }, the
> probability of getting that sequence is 1 and of any other sequence,
> 0. Plug it in.
Indeed.
> If you have a generator of 8-bit random numbers and every sample is
> independent and uniformly distributed, and you ran this for a gazillion
> iterations and wrote to the list one day saying the special sequence {
> 0, 1, 2, ..., 255 } had appeared in the output, that's a different
> story. But still, we would talk about the entropy of your generator,
> not of one particular sequence of outputs.
Yes. Shannon called it the "source entropy", i.e. the entropy of
the source, i.e. the entropy of the generator.
Perry Metzger wrote:
>> Usually, the best you can do is produce (bad) bounds, and sometimes
>> not even that.
Huh? What's your metric for "usually"? I'll agree as a matter of
principle that whatever you're doing, you can always do it wrong.
But that doesn't prevent me from doing it right. I can use physics
to produce good bounds, that is,
http://www.av8n.com/turbid/
=======================
The problem posed by the OP is trivial, and good solutions have already
been posted. To recap: SHA-512 exists, and if that isn't good enough,
you can concatenate the output of several different one-way functions.
You can create new hash functions at the drop of a hat by prepending
something (a counter suffices) to the input to the hash.
Example: result = hash(1 || pw) || hash(2 || pw) || hash(3 || pw)
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list