[Whonix-devel] Password length and Quantum Computing Implications
jeanphilippe.aumasson at gmail.com
Sat Aug 11 14:04:58 CEST 2018
You want the passphrase to have at least as much entropy as the bit length
of the symmetric key that is derived from it.
In theory, Grover’s quantum search algorithm could lower down the cost of
searching the right passphrase from ~2^128 to (very) roughly ~2^64.
How to get higher entropy passphrase? You can have a longer passphrase, a
longer dictionary (that is, more entropy per word), or both.
BIP 39 for example supports 128 to 256 bits of entropy per passphrase, iirc
with 2048-word lists, thus longer passphrase for higher entropy, see
Hope this clarifies!
On Fri, 10 Aug 2018 at 22:26, procmem <procmem at riseup.net> wrote:
> Hi JP. Whonix dev here. We are currently discussing the best advice for
> generating strong passphrases for our users and so I wanted your advice
> on a few questions.
> According to The Intercept  using something like diceware is
> recommended and a 10 word passphrase has 128 bits of more than enough to
> stop the strongest adversaires for the forseeable future.
> The IAD/NIST  recommends using 256 bit encryption for AES. Does this
> translate into a need for 256 bit passphrases?
> I may be misunderstanding but cipher keylength =/= password entropy?
> Do quantum computers have implications for passphrase (not master key)
> Now if it turns out I’m wrong the question becomes: how can a 10 word
> passphrase be easily enhanced to get as high entropy as possible without
> having to double its size?
> There is an option for diceware to sprinkle random characters in its
> output but I don’t know how much entropy bits it adds. Do you know?
> I CC'd our mailing list so ou reply can benefit our users. Thanks in
>  https://www.keylength.com/en/compare/
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Whonix-devel