Competition
Suppose a
passphrase has 20 characters, and the system asks for three
randomly chosen characters each time the user authenticates. How many
sessions must an attacker observe in order to have a 50% chance of
having obtained the full password?
Answer
Suppose the user
has learned r of the characters so far, and then observes another
authentication. In general, there are four possible outcomes: he may
learn no new characters, or one, or two, or three new characters. Given
that the attacker knows r characters, let p(r,s) be the probability
that after another observation he will have learned s characters.
- p(r,r) = (r/20) ((r-1)/19) ((r-2)/18) = (r (r-1) (r-2)) / 6840
- p(r,r+1) = 3 r (r-1) (n-r) / 6840
- p(r,r+2) = 3 r (n-r) (n-r-1) / 6840
- p(r,r+3) = (n-r) (n-r-1) (n-r-2) / 6840
The values of
p(r,s) are shown in the table below (note that the numbers appearing as
zero may be non-zero but less than 0.01). The table was made using Open Office (the spreadsheet
part).
Suppose the user
has made k trials so far. Let q(r,k) be the probability that the
attacker has learned r numbers after k trials. There are four ways in
which this could arise:
- The attacker could have had r numbers after k-1 trials, and
learned nothing in the last trial. This has probability q(r,k-1) p(r,r).
- He could have had r-1 numbers after k-1 trials, and learned one
number in the last trial. This has probability q(r-1,k-1) p(r-1,r).
- It could have been r-2 numbers after k-1 trials, and he learned
two numbers in the last trial: probability q(r-2,k-1) p(r-2,r).
- Or, r-3 numbers were known after k-1 trials, and three were
learned in the last trial: probability q(r-3,k-1) p(r-3,r).
Thus, we find
that q(r,k) = q(r,k-1) p(r,r) + q(r-1,k-1) p(r-1,r) + q(r-2,k-1)
p(r-2,r) + q(r-3,k-1) p(r-3,r). This enables us to calculate q(r,k) for
any r and k. The values of q(r,k) are shown in the table below (again,
using Open Office; again, the numbers appearing as zero may be non-zero
but less than 0.01).
(Note that when you multiply two probabilities to get the probability
of both events, you must check that the events are independent. The events in two
different rounds are obviously independent, so the multiplication is
justified. When you add probabilities to get the probability of one of
the events, you must check that the events are exclusive. The four bullet points
are obviously exclusive, so the addition is justified.)
We seek the
smallest k such that q(20,k) > 0.5. This is k=22. So 22 observations
are needed to have a 50% chance of getting the full passphrase.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| The values of p(r,s) |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
s |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
0 |
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
10 |
11 |
12 |
13 |
14 |
15 |
16 |
17 |
18 |
19 |
20 |
|
|
|
|
|
|
|
0 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
r
|
1 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3 |
|
|
|
0.00 |
0.04 |
0.36 |
0.60 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 4 |
|
|
|
|
0.00 |
0.08 |
0.42 |
0.49 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 5 |
|
|
|
|
|
0.01 |
0.13 |
0.46 |
0.40 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6 |
|
|
|
|
|
|
0.02 |
0.18 |
0.48 |
0.32 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7 |
|
|
|
|
|
|
|
0.03 |
0.24 |
0.48 |
0.25 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 8 |
|
|
|
|
|
|
|
|
0.05 |
0.29 |
0.46 |
0.19 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 9 |
|
|
|
|
|
|
|
|
|
0.07 |
0.35 |
0.43 |
0.14 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 10 |
|
|
|
|
|
|
|
|
|
|
0.11 |
0.39 |
0.39 |
0.11 |
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11 |
|
|
|
|
|
|
|
|
|
|
|
0.14 |
0.43 |
0.35 |
0.07 |
|
|
|
|
|
|
|
|
|
|
|
|
| 12 |
|
|
|
|
|
|
|
|
|
|
|
|
0.19 |
0.46 |
0.29 |
0.05 |
|
|
|
|
|
|
|
|
|
|
|
| 13 |
|
|
|
|
|
|
|
|
|
|
|
|
|
0.25 |
0.48 |
0.24 |
0.03 |
|
|
|
|
|
|
|
|
|
|
| 14 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
0.32 |
0.48 |
0.18 |
0.02 |
|
|
|
|
|
|
|
|
|
| 15 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
0.40 |
0.46 |
0.13 |
0.01 |
|
|
|
|
|
|
|
|
| 16 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
0.49 |
0.42 |
0.08 |
0.00 |
|
|
|
|
|
|
|
| 17 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
0.60 |
0.36 |
0.04 |
0.00 |
|
|
|
|
|
|
| 18 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
0.72 |
0.27 |
0.02 |
|
|
|
|
|
|
| 19 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
0.85 |
0.15 |
|
|
|
|
|
|
| 20 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1.00 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| The values of q(r,k) |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
k |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
0 |
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
10 |
11 |
12 |
13 |
14 |
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 |
23 |
24 |
25 |
26 |
|
0 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| r |
1 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 2 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 3 |
|
1 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
| 4 |
|
|
0.04 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
| 5 |
|
|
0.36 |
0.01 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
| 6 |
|
|
0.6 |
0.08 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
| 7 |
|
|
0 |
0.3 |
0.03 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
| 8 |
|
|
0 |
0.43 |
0.13 |
0.01 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
| 9 |
|
|
0 |
0.19 |
0.31 |
0.07 |
0.01 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
| 10 |
|
|
0 |
0 |
0.34 |
0.21 |
0.05 |
0.01 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
| 11 |
|
|
0 |
0 |
0.17 |
0.32 |
0.16 |
0.05 |
0.01 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
| 12 |
|
|
0 |
0 |
0.03 |
0.26 |
0.28 |
0.15 |
0.05 |
0.02 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
| 13 |
|
|
0 |
0 |
0 |
0.11 |
0.28 |
0.26 |
0.15 |
0.07 |
0.03 |
0.01 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
| 14 |
|
|
0 |
0 |
0 |
0.02 |
0.16 |
0.28 |
0.26 |
0.17 |
0.09 |
0.04 |
0.02 |
0.01 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
| 15 |
|
|
0 |
0 |
0 |
0 |
0.05 |
0.17 |
0.27 |
0.27 |
0.21 |
0.13 |
0.08 |
0.04 |
0.02 |
0.01 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
| 16 |
|
|
0 |
0 |
0 |
0 |
0.01 |
0.06 |
0.17 |
0.26 |
0.29 |
0.26 |
0.2 |
0.13 |
0.09 |
0.05 |
0.03 |
0.02 |
0.01 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
| 17 |
|
|
0 |
0 |
0 |
0 |
0 |
0.01 |
0.06 |
0.15 |
0.24 |
0.29 |
0.3 |
0.27 |
0.22 |
0.17 |
0.13 |
0.09 |
0.06 |
0.04 |
0.03 |
0.02 |
0.01 |
0.01 |
0 |
0 |
0 |
| 18 |
|
|
0 |
0 |
0 |
0 |
0 |
0 |
0.01 |
0.05 |
0.11 |
0.19 |
0.26 |
0.31 |
0.33 |
0.33 |
0.3 |
0.26 |
0.22 |
0.18 |
0.14 |
0.11 |
0.09 |
0.07 |
0.05 |
0.04 |
0.03 |
| 19 |
|
|
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0.01 |
0.03 |
0.06 |
0.12 |
0.19 |
0.26 |
0.32 |
0.37 |
0.4 |
0.41 |
0.41 |
0.4 |
0.38 |
0.35 |
0.32 |
0.29 |
0.26 |
0.23 |
| 20 |
|
|
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0 |
0.01 |
0.02 |
0.04 |
0.08 |
0.12 |
0.17 |
0.23 |
0.3 |
0.36 |
0.43 |
0.49 |
0.55 |
0.6 |
0.65 |
0.7 |
0.74 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
In fact, this
kind of reasoning from first principles is unnecessary. Once you
realise that the system is a Markov chain,
you can use well-established methods for solving it (the calculations
amount to the same ones shown here, but it is more systematic).