Suppose we have a BLE-related value with 7 bytes of entropy.
One byte is 8 bits, so 7 bytes is 7 * 8 = 56 bits.
For this calculation, treat that as a uniform search space with 2^56 possible values.
If an attacker must try every candidate in the worst case, the attacker performs 2^56 guesses.
This assumes all 56 bits are independent, random, and usable; fixed, reserved, or predictable bits would reduce the real entropy.
Here 2^56 means 2 raised to the 56th power.
It is 72,057,594,037,927,936, which is about 7.21 * 10^16.
It is not 10^56.
Also, in languages such as C and Python, ^ is a bitwise XOR operator; the mathematical exponent form would be written as 2**56 in Python.
Now assume a deliberately simple machine model:
- One processor running at
4.0 GHz. - The processor can execute
4,000,000,000cycles per second, assuming one useful candidate-checking cycle stream. - Each candidate check costs exactly
3cycles. - The target value is the last candidate tried, so this is the worst case.
Calculation
The search space size is:
2^56 = 72,057,594,037,927,936 guesses
At 3 cycles per guess:
total cycles = 72,057,594,037,927,936 * 3
= 216,172,782,113,783,808 cycles
A 4.0 GHz processor performs 4,000,000,000 cycles per second, so:
time = 216,172,782,113,783,808 / 4,000,000,000
= 54,043,195.52844595 seconds
Converting seconds to years using 365.25 days per year:
years = 54,043,195.52844595 / 31,557,600
= 1.712525525656 yearsAnother way to sanity-check the same result is to compute guesses per second first:
guesses_per_second = 4,000,000,000 / 3
= 1,333,333,333.33 guesses/second
time = 72,057,594,037,927,936 / 1,333,333,333.33
= 54,043,195.52844595 seconds
= 1.712525525656 years| Quantity | Value |
|---|---|
| Entropy | 7 bytes = 56 bits |
| Search space | 2^56 = 72,057,594,037,927,936 guesses |
| Cost per guess | 3 CPU cycles |
| Processor speed | 4.0 GHz = 4,000,000,000 cycles per second |
| Implied guessing rate | 1,333,333,333.33 guesses per second |
| Worst-case time | 54,043,195.52844595 seconds, about 625.5 days |
| Worst-case time in years | 1.712525525656 years |
| Average-case time | 0.856262762828 years, or about 312.75 days, if the value is equally likely to be anywhere in the search order |
In this model, the worst-case cracking time is about 1.71 years. The average case is about 0.86 years, assuming the target value is uniformly random and the attacker searches in a fixed order.
Important Caveat
The assumption 3 cycles per candidate is not realistic for most real cracking scenarios.
It implies about 1.33 billion guesses per second on this one processor.
With a 2^56 space, that toy rate still gives a worst-case time of about 1.71 years.
Real systems often add costs that are much larger than a few CPU cycles.
Password systems usually store hashes, and good password storage uses slow password-hashing algorithms such as bcrypt, scrypt, Argon2, or PBKDF2.
BLE-related attacks may also require protocol messages, radio timing, pairing attempts, or device responses; if the check cannot be done fully offline, those costs can dominate.
Real cracking time depends on many details:
- The password-hashing or verification algorithm, if the value is checked through one.
- The configured work factor or memory cost.
- Whether the attack is online or offline.
- Rate limits, lockouts, pairing attempt limits, radio timing, and monitoring for online attacks.
- CPU, GPU, FPGA, or ASIC hardware available to the attacker.
- Whether all 56 bits are truly random or whether some bits are fixed, biased, or predictable.
The formula is still useful as a first-principles estimate:
worst_case_seconds = (number_of_guesses * cycles_per_guess) / cycles_per_secondFor this specific input:
worst_case_seconds = (2^56 * 3) / (4 * 10^9)
= 54,043,195.52844595 seconds
= 1.712525525656 years