Changes between Version 57 and Version 58 of NewCaps/WhatCouldGoWrong


Ignore:
Timestamp:
2013-01-14T02:27:59Z (12 years ago)
Author:
zooko
Comment:

https, when available

Legend:

Unmodified
Added
Removed
Modified
  • NewCaps/WhatCouldGoWrong

    v57 v58  
    31313. ''undeletion'': attacker makes a deleted file (for which it need not have had a read cap) accessible at its previous storage index, and readable by previous read caps
    3232
    33 4. See the probability table at http://en.wikipedia.org/wiki/Birthday_Attack . The effective hash length is approximately min(''s'',''r'')+''t'' bits.
     334. See the probability table at https://en.wikipedia.org/wiki/Birthday_attack . The effective hash length is approximately min(''s'',''r'')+''t'' bits.
    3434
    35 5. On Merkle-Damgård hashes with an internal state that is the same size as the hash output (like SHA-256), there are better second-preimage attacks than brute force. See http://www.schneier.com/paper-preimages.pdf . The doubled "SHA-256d" construction used by Tahoe does not help here. This is not significant for roadblock/speedbump attacks because the internal state will be much larger than ''t'' bits, but it is significant for the other second-preimage attacks.
     355. On Merkle-Damgård hashes with an internal state that is the same size as the hash output (like SHA-256), there are better second-preimage attacks than brute force. See https://www.schneier.com/paper-preimages.pdf . The doubled "SHA-256d" construction used by Tahoe does not help here. This is not significant for roadblock/speedbump attacks because the internal state will be much larger than ''t'' bits, but it is significant for the other second-preimage attacks.
    3636
    37376. ''roadblock''/''speedbump'' attacks could be restricted to holders of a read cap by use of an extra signature, as in the Elk Point 3 design (diagram at http://jacaranda.org/tahoe/mutable-addonly-elkpoint-3.svg for mutable files).