<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body>
<p><br>
</p>
<div class="moz-forward-container"><br>
<br>
-------- Forwarded Message --------
<table class="moz-email-headers-table" cellspacing="0"
cellpadding="0" border="0">
<tbody>
<tr>
<th valign="BASELINE" nowrap="nowrap" align="RIGHT">Subject:
</th>
<td>Re: MinEntropy Implications for Passphrase Strength</td>
</tr>
<tr>
<th valign="BASELINE" nowrap="nowrap" align="RIGHT">Date: </th>
<td>Thu, 12 Dec 2019 15:03:38 -0500</td>
</tr>
<tr>
<th valign="BASELINE" nowrap="nowrap" align="RIGHT">From: </th>
<td>Arnold Reinhold <a class="moz-txt-link-rfc2396E" href="mailto:agr@me.com"><agr@me.com></a></td>
</tr>
<tr>
<th valign="BASELINE" nowrap="nowrap" align="RIGHT">To: </th>
<td>procmem <a class="moz-txt-link-rfc2396E" href="mailto:procmem@riseup.net"><procmem@riseup.net></a></td>
</tr>
</tbody>
</table>
<br>
<br>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
It’s not an easy question to answer. Here is a somewhat more
legible discussion:
<div class=""><br class="">
</div>
<div class=""><a
href="https://crypto.stackexchange.com/questions/66097/why-is-min-entropy-significant-in-cryptography"
class="" moz-do-not-send="true">https://crypto.stackexchange.com/questions/66097/why-is-min-entropy-significant-in-cryptography</a></div>
<div class=""><br class="">
</div>
<div class="">At the simplest level, if you think of the Diceware
word list as a set of symbols, and you are picking each symbol
with a uniform random process, which physical dice approximate
very well, then min entropy equals Shannon entropy. On the other
hand, if you look at the resulting pass phrase as a string of
characters, the distribution will not be uniformly random, and
the min entropy will be less than the Shannon entropy. The
Diceware word list can occasionally generate passphrases so
short that are subject to brute force searches, that’s why I
recommend requiring a minimum length.
<div class=""><br class="">
</div>
<div class="">Min entropy attempts to bound the worst case
behavior, but that is not necessarily realistic. The words
have semantic meaning and it is possible to randomly generate
a passphrase like “Four score and seven years ago” which might
be in a list of, say, the top 1000 English phrases. That could
be considered a min entropy of less than 10 bits. But such
occurrences are rare and are fairly easy for humans to spot.
This does not only apply to Diceware. A string of random
characters could spell a word. A random hex string could be
3243F6A8885A3, aka Pi. One solution would be to check a
generated password or phrase against a collection of cracker
lists, but any given password could be added to such lists at
a later date, so that won’t completely eliminate the problem.
What Shannon entropy does do for a password or phrase
generation scheme is measure the likelihood that a weak
password will be generated, which in the case of Diceware is
extremely low.</div>
<div class=""><br class="">
</div>
<div class="">Best,</div>
<div class=""><br class="">
</div>
<div class="">agr</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
<div><br class="">
<blockquote type="cite" class="">
<div class="">On Nov 19, 2019, at 6:20 PM, <a
href="mailto:procmem@riseup.net" class=""
moz-do-not-send="true">procmem@riseup.net</a> wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<div class="">Hi Arnold. I came across a publication
that claims minentropy is a more<br class="">
accurate measure for passphrase strength than Shannon
Entropy. The<br class="">
Wikipedia article on the topic is complex and not
really accessible for<br class="">
people who want to learn about it.<br class="">
<br class="">
Questions:<br class="">
<br class="">
* What is Minentropy and how does it impact Diceware
passphrase strength?<br class="">
<br class="">
* How do I calculate it?<br class="">
<br class="">
I would appreciate a plain English explanation I can
add to our<br class="">
documentation. TIA.<br class="">
<br class="">
<br class="">
<a
href="https://www.cs.bu.edu/~reyzin/papers/entropy-survey-ICITS-2011-no-animations.pdf"
class="" moz-do-not-send="true">https://www.cs.bu.edu/~reyzin/papers/entropy-survey-ICITS-2011-no-animations.pdf</a><br
class="">
<br class="">
<a class="moz-txt-link-freetext" href="https://en.wikipedia.org/wiki/Min-entropy">https://en.wikipedia.org/wiki/Min-entropy</a><br class="">
<br class="">
PS. Before sending I found this link that somewhat
helps:<br class="">
<br class="">
<a class="moz-txt-link-freetext" href="https://crypto.stackexchange.com/questions/63786/relation-between-entropy-and-min-entropy">https://crypto.stackexchange.com/questions/63786/relation-between-entropy-and-min-entropy</a><br
class="">
<br class="">
Does this imply minentropy is only relevant in cases
where passphrases<br class="">
are formed from sources with non uniform
distributions?<br class="">
<br class="">
I have CC'd our ML so your reply can benefit our
users.<br class="">
<br class="">
<br class="">
</div>
</div>
</blockquote>
</div>
<br class="">
</div>
</div>
</div>
</body>
</html>