[tahoe-dev] how to encrypt, integrity-check, and offline-attenuate with only 2n bits

David-Sarah Hopwood david-sarah at jacaranda.org
Wed Sep 9 05:56:26 UTC 2009


David-Sarah Hopwood wrote:
> For immutable files, we absolutely need 2n bits in a readcap to obtain
> collision resistance. It is desirable to also have 2n bits in a verifycap,
> to prevent an attack where the creator of a file can use a collision to
> generate a verifycap that will succeed in verifying invalid ciphertext
> (it isn't clear that this is a particularly useful attack, but it turns
> out we can prevent it at no significant cost).

Actually the strength against this attack is only 2^(n/2). It is possible
to increase the size of V' without increasing the size of R, if that is
considered a problem.

-- 
David-Sarah Hopwood  ⚥  http://davidsarah.livejournal.com




More information about the tahoe-dev mailing list