On Fri, Jan 19, 2007 at 12:11:40AM -0800, Bill Stewart wrote: > One of the roots of the problem is that for many applications, > i is a well-defined event and P(i) is a fixed value (for i) , > but for many other applications, > i might not be a well-defined event, and/or > P(i) is really a conditional probability, P(i|other-stuff-you-know), > and it's hard to tell whether that's > usefully different from the non-conditional P(i).

Yes; in textbooks, the author is usually kind enough to give a complete description of the source; in cryptanalysis, you're usually looking at the output and making inferences about the source, and thus, the entropy. > Another entropy example was the Venona decryptions - > people banging "randomly" on typewriters didn't actually produce > independent or identically distributed letters, > so the conditional probabilities didn't actually match > the assumed ones, so the entropy estimates were wrong, > and human language plaintext being what it is, > they really needed the 1-bit-per-bit of key entropy. Actually, my reading of a book on Venona said they captured some unused OTP on microfilm, but weren't able to use the non-randomness of the source to decrypt anything. Someone here mentioned that the entropy of the plaintext and the OTP have to merely add to 1 to prevent decryption; the OTP does not necessarily have to provide it all. Shannon's estimates were that English prose carries about 1 bit per symbol. There were some decrypts of material; the official explanation is that they recovered a partial codebook and discovered some OTP re-use (the KGB encoded then superenciphered it). BTW, dictionary attacks can probably be effectively resisted by making the hashes of passwords twice as big, and using a random value concatenated with the password before hashing, and storing it alongside the hash (it's like crypt(3) salting, but more so). If the password is important to keep from disclosure beyond the needs of this security system, one could even truncate the output of the hash to half its size, so that there's multiple preimages; since you doubled the hash size to begin with, you end up with the same security factor against guessing, I believe. -- ``Unthinking respect for authority is the greatest enemy of truth.'' -- Albert Einstein -><- <URL:http://www.subspacefield.org/~travis/>

**
pgpJoxUCemN6j.pgp**

*Description:* PGP signature