1996-11-23 - Re: how much entropy in common answers

Header Data

From: Hal Finney <hal@rain.org>
To: pfarrell@netcom.com
Message Hash: 7372f13687118afd5d8de1b5ad259c67ef6fea7e2137533535f47effbb87651c
Message ID: <199611232126.NAA00899@crypt.hfinney.com>
Reply To: N/A
UTC Datetime: 1996-11-23 21:32:47 UTC
Raw Date: Sat, 23 Nov 1996 13:32:47 -0800 (PST)

Raw message

From: Hal Finney <hal@rain.org>
Date: Sat, 23 Nov 1996 13:32:47 -0800 (PST)
To: pfarrell@netcom.com
Subject: Re: how much entropy in common answers
Message-ID: <199611232126.NAA00899@crypt.hfinney.com>
MIME-Version: 1.0
Content-Type: text/plain


From: Pat Farrell <pfarrell@netcom.com>
> Clearly there are cultural issues involved. The entropy in a question
> such as "what is your favorite brother's name?" is low in an Irish
> family like mine where names cluster arround choices such as are Patrick,
> John, Sean, and Dan.
>
> So how do we measure the entropy objectively?

You have to estimate the probability that the attacker will guess what you
have chosen.  This will depend on how much the attacker knows about you.
If he knows that you're Irish, it will help in the question above.  If he
knows the names of your brothers, it will help a lot more.  Probably
it is best to be conservative in assuming what your attacker knows.

If you have four brothers and nobody whom the attacker could ask will
know who is your favorite, but you think he could find out there names,
then he has probably a 1/4 chance of guessing right.  (Actually he
might do better by preferring older brothers rather than younger, etc.)
The amount of entropy is then negative log 2 of the probability, or 2
in this case (2**-2 is 1/4).

For cars, if 50% of people like you would have chosen Mustangs, 
40% Camaros, and the remaining 10% scattered among other brands, then
if your favorite car was a Mustang that is only worth about 1 bit.  But
if your favorite car was an Oldsmobile there might be only 1/100 chance
of the attacker guessing that, so it could be worth 6 or 7 bits.

Hal





Thread