Changes between Version 4 and Version 5 of NewCaps/Rainhill
- Timestamp:
- 2012-06-20T14:41:59Z (12 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
NewCaps/Rainhill
v4 v5 30 30 4. The formula given in the Wikipedia Birthday Attack page is sqrt(2.ln(1/(1-''p''))).2^(''r''+''t'')/2^, but the approximation given here is very accurate for small ''p'', and can only underestimate the cost. For ''p'' = 1/2 it underestimates by only a factor of 1.18. For ''p'' near 1 it underestimates severely; it is very hard for an attacker to be ''certain'' to find a collision. 31 31 32 5. In order for the combined hash with output (''R'',''T'') to have the strength against collision and preimage attacks given here, there must not be multicollision attacks against the hash truncated to ''r'' bits or to ''t'' bits, that would yield an easier attack on the combined hash. See http://allmydata.org/pipermail/tahoe-dev/2009-October/003006.html.32 5. In order for the combined hash with output (''R'',''T'') to have the strength against collision and preimage attacks given here, there must not be multicollision attacks against the hash truncated to ''r'' bits or to ''t'' bits, that would yield an easier attack on the combined hash. See [//pipermail/tahoe-dev/2009-October/003006.html tahoe-dev/2009-October/003006.html]. 33 33 34 34 6. The estimates given here are in terms of work factor, i.e. they are products of machine size and attack time. See [http://cr.yp.to/snuffle/bruteforce-20050425.pdf this paper by Dan Bernstein] for discussion of parallel brute-force attacks, including attacks against multiple keys at once.
