Private Key Generation from Passwords/phrases

mheyman at mheyman at
Mon Jan 15 09:24:20 EST 2007

On 1/11/07, Joseph Ashwood <ashwood at> wrote:
> 112 bits of entropy is 112 bits of entropy...anything else and you're
> into the world of trying to prove equivalence between entropy and
> work which work in physics but doesn't work in computation
> because next year the work level will be different and you'll
> have to redo all your figures.
Hmm. All we usually have protecting us is "work".

Once a little bit of cipher text gets out, on an SSL session or a PGP
encrypted email or the like, that bit of cipher text is enough
information to unambiguously determine the key. It may take a lot of
work to determine the key but there is no uncertainty left in the key.
That is, once used for a bit of encrypting where the cipher text
becomes known, the entropy of that key is _zero_.

Since there is no unguessibility left in the key, the only thing
protecting the cipher text is the amount of work it takes to determine
the key.

It seems Matthias has realized, prudently, that his system has a weak
link at the passphrase and he is looking to strengthen that. The ways
to do that include requiring a ridiculously long passphrase or
increasing the work required to go from the passphrase to the key.
Both methods Matthias has chosen increase the work required to break
the system.

As James pointed out, the proposed 76-bit passphrase is a bit much to
expect anybody to remember and it is always better to not derive keys
from passwords when the system allows.

-Michael Heyman

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list