Password cracking: What if attacker is lucky?

Question

We have always measured password or private key strength by the amount of entropy it contains, but what if the attacker who cracks it is lucky.

Consider the following simple scenario, we have 1 bit [0,1] secret , the attacker should choose between 2 combinations, but the attacker already has a 50% chance of guessing the right one.

Now consider a 128 bit secret. It should have 2^128 combinations, so the attacker should go through 340282366920938000000000000000000000000 combinations before guessing the secret, but he actually only has to go through half of that: 170141183460469000000000000000000000000, because he probably has a 50% chance of guessing it right.

So if at each bit he has a 50% chance, that means that 1 bit is actually only half bit.

And if he is very lucky, say 90% chance, that means that 1 bit is actually only 0.1 bit.So in face of a very lucky opponent, a 128 bit password has only 12.8 bit strength.

What is your opinion about this?

Answer 1

"lucky" is not a property of the attacker. There's no "lucky" attacker nor "normal" attacker. They both have the same probability (low, very low) to guess the key. You can decrease the probability at will by increasing the length of the key (i.e. the no. of bits). You cannot really argue "what if the attacker is lucky" because "being lucky" is a posteriori statement; you say that an attacker is lucky only when he/she was... lucky

Answer 2

Note: This answer assumes that by "lucky" OP meant "able to remove X% of valid answers", because I believe that was intent. Of course you can't measure luck ;)

And if he is very lucky, say 90% chance, that means that 1 bit is actually only 0.1 bit.So in face of a very lucky opponent, a 128 bit password has only 12.8 bit strength.

Well, let's validate that... Since 128bit password has 2^128 combinations: $2^{128} * 0.1 = 340282366920938463463374607431768211456 * 0.1 = 34028236692093846346337460743176821145.6$

$ \log_2(34028236692093846346337460743176821145.6) \approx 124$

This doesn't match with your calculation of $128*0.1=12.8$ because you divide bits, which is incorrect.

Attacker can't simply pick bits one by one. It's like lock and key:

You can't simply open one pin and know if you are right. Lock will only rotate if all pins are correct. Otherwise it won't rotate. So while lock with one pin is as easy as trying that one pin, lock with two pins you already don't know which pin is wrongly set. Same happens with cryptography. One bit encryption doesn't let you see how it scales (so you assumed linear growth - wrong). It's not that you can pick each bit at once. You need to crack all at once. And somewhat like with lockpicking, cryptographic algorithm is broken when you find that some pins actually give you some hints as to what state of "lock" is.

Answer 3

So if at each bit he has a 50% chance, that means that 1 bit is actually only half bit.

And if he is very lucky, say 90% chance, that means that 1 bit is actually only 0.1 bit.So in face of a very lucky opponent, a 128 bit password has only 12.8 bit strength.

You're miscomputing how "luck" affects the number of bits. For a 50% chance, that does not multiply the number of bits by 0.5, it reduces it by log₂0.5 bits -- -1 bit. So that 128 bit key is only as strong as 127 bits when you only need a 50% of guessing it.

Similarly, for a "lucky" opponent of the 90% level, that reduces the key by log₂0.1, or about -3.3 bits. So that 128 bit key has been reduced to about 125 bits, not 12.8 bits.

Even with an an extremely lucky 1-in-a-million guess (like winning the lottery), that still only reduces it by log₂0.000001, or about 20 bits, still leaving you with more than 100 bits of security

Answer 4

I'm not sure what you're trying to understand and if the other answers cover it, so I'm trying a different approach and interpret your question like this:

What if an attacker guesses the right sequence of 128 bits on her first try by pure chance?

That's certainly possible but so unlikely that we don't normally consider that possibility. If you want to consider this risk there's nothing you can do with cryptography since that is a matter of risk management which belongs into the field of economic sciences.

The likelihood of an attacker guessing the sequence of 128 bits of your encryption key correctly with just one brute-force attempt is 2^-128. Since people are notoriously bad at imagining very small or very large quantities we can only grasp what that means in relation to other quantities of the same type.

Let's assume that every person on this planet (about 10¹⁰) attempts to guess your key at a frequency of 10⁹ s^-1 over the span of your life and the following 900 years (100 a + 900 a ≃ 10¹¹ s) for a total of 10²⁰ attempts over that time span. The chance that at least one of these succeeds is:

$$ 1 - (1 - 2^{-128})^{10^{20}} ≃ 3 \cdot 10^{-19} $$

If you think that risk might be too high for you think again, because the likelihood of dying due to a cataclysmic meteorite impact is estimated at roughly 10^-5. That's about 10¹³ times as likely as the key guessing event and has an arguably much more severe impact (pun intended) on your and everybody's lives.

Conclusion: If you worry about your key being guessed at random by a ceaseless concerted effort of every human being from your birth till after your existence was likely forgotten you worry about the wrong thing. Stop researching cryptography and become an aeronautical engineer (or whatever you call someone who works on ways to avoid the collision of earth with huge space rocks)!

Answer 5

So if at each bit he has a 50% chance, that means that 1 bit is actually only half bit.

No, it is not. Because 'bit' is a quantity of information we should know to reduce entropy twice by definition. The 50% chance was already considered there: entropy is a measure of uncertainty (something a priori) and has nothing to do with luck (something a posteriori).

Answer 6

From computer point of view, there is no difference between "is lucky" and "knows password". You are Bob if You know Bob's password - that's very basic assumption of Kerckhoffs's principle and Bitcoin.

https://en.wikipedia.org/wiki/Kerckhoffs%27s_principle

Answer 7

So Far, None of these answers are at all answering what I atleast interpret the question to be asking, all I see are many answers berating the asker for their question, even the few that mention actually answering "What would happen?", Immediately switch to speaking about the improbability of it.

So, Ignoring the utter utter improbability of such a circumstance, it is still possible, so if it were to happen that an attacker were to guess the password significantly sooner than probability would dictate likely, and one would assume you were hoping for with the encryption, then:

They know the password, simple as that.

What happens after that depends on their original intent & Human Psychology, the two circumstances that come to mind for me are,

• They use the password for their original intention and hack in, steal files, install malware, etc.

• Or they, also knowing the probability of this event, literally can't believe their luck and proceed to waste time re-cracking the encryption, fretting over the clearly far better than expected security you have, continuing to eat the lunch they were in the process of eating while they waited because they expected it to take longer and haven't checked yet, or similar.

Though you would likely have a far better answer for those last options if you asked on a psychology or suchlike site.

Answer 8

So if at each bit he has a 50% chance, that means that 1 bit is actually only >half bit.

And if he is very lucky, say 90% chance, that means that 1 bit is actually only >0.1 bit.So in face of a very lucky opponent, a 128 bit password has only 12.8 >bit strength.

Everyone has a 50% chance at every bit. That doesn't make it effectively less than a bit of entropy. Think of each bit as a separate coin toss. No one is more or less likely than 50% to guess the result of a fair coin toss. The universe will not bend it's rules for anyone and give them a 90%. Your chances of correctly guessing the results of 128 subsequent coin tosses are 1 in 2^128.