On 1/11/07, Joseph Ashwood <[EMAIL PROTECTED]> wrote:

112 bits of entropy is 112 bits of entropy...anything else and you're into the world of trying to prove equivalence between entropy and work which work in physics but doesn't work in computation because next year the work level will be different and you'll have to redo all your figures.

Hmm. All we usually have protecting us is "work". Once a little bit of cipher text gets out, on an SSL session or a PGP encrypted email or the like, that bit of cipher text is enough information to unambiguously determine the key. It may take a lot of work to determine the key but there is no uncertainty left in the key. That is, once used for a bit of encrypting where the cipher text becomes known, the entropy of that key is _zero_. Since there is no unguessibility left in the key, the only thing protecting the cipher text is the amount of work it takes to determine the key. It seems Matthias has realized, prudently, that his system has a weak link at the passphrase and he is looking to strengthen that. The ways to do that include requiring a ridiculously long passphrase or increasing the work required to go from the passphrase to the key. Both methods Matthias has chosen increase the work required to break the system. As James pointed out, the proposed 76-bit passphrase is a bit much to expect anybody to remember and it is always better to not derive keys from passwords when the system allows. -Michael Heyman --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]