Password vs data entropy

Alex Pankratov ap at
Sat Oct 27 00:41:21 EDT 2007

> -----Original Message-----
> From: Ben Laurie [mailto:ben at] 
> Sent: Friday, October 26, 2007 3:56 PM
> To: Alex Pankratov
> Cc: cryptography at
> Subject: Re: Password vs data entropy
> In other words, your password needs to be x/y times the size of the
> secret (in bits), where x and y are the costs of attacking the secret
> and the password respectively.

Essentially the entropy measure alone is not sufficient to 
make a decision, we should also account for the algorithms 
being used. This certainly makes sense .. now that you said 
it :)

Is there any published research into entropy estimates of 
PBKDF2 transformation ? Perhaps, for specific PRF(s) and 
fixed iteration counts. I.e. if I have a password with N 
bits of entropy in a password, what the entropy of the key 
going to be like given *this* set of PBKDF2 parameters.

Also, can you elaborate on this remark ? Specifically, the
second part of it -

> I want to make this distinction because I'd like to talk 
> about secret keys, which have to be rather larger than 4 
> kbits to have 4kbits of entropy for modular arithmetic stuff.

Are you referring to RSA-like secrets that involve prime
numbers, which are therefore selected from a smaller subset
of Z(n) ?


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list