Getting to this late, but if I hear you right, generating a set of hypotheses was exactly what I was trying for with the parity. If you see a, say, 6-word input where the parity doesn't work out, you "erase" each of the six words and replace it with the parity of the other words, and check if the result is the user's password. It'd mean the user(/attacker) could make you do a 6 hash checks each time they tried to log in, so it'd cost you ~13 bits of security not just 10.
And, yes, min-entropy is a really helpful concept here. Captures well that nobody's password is a good crypto key, but at the same time it deals with the attacks trying the really common overused passwords on a lot of accounts.
Very cool that you could tolerate 2 errs/3 erasures and still have 60 bits with ECC if you trade off ordering. ECC and coding theory is one of those areas where I wish I had slightly more CS education so I could do more than just gawk at its power.
And, yes, min-entropy is a really helpful concept here. Captures well that nobody's password is a good crypto key, but at the same time it deals with the attacks trying the really common overused passwords on a lot of accounts.
Very cool that you could tolerate 2 errs/3 erasures and still have 60 bits with ECC if you trade off ordering. ECC and coding theory is one of those areas where I wish I had slightly more CS education so I could do more than just gawk at its power.