[tahoe-dev] a crypto puzzle about digital signatures and future compatibility

David-Sarah Hopwood david-sarah at jacaranda.org
Wed Aug 26 22:45:46 PDT 2009


Brian Warner wrote:
> Nathan wrote:
>> The scenario of a 1.7 client producing two malicious files is a little
>> off, IMO.
> 
> At lunch today, Nathan and I discussed this further. There are two
> separate sorts of attacks, which (I think) roughly parallel the
> difference between first-preimage and second-preimage attacks on hash
> functions.
> 
> Attack A is where Alice uploads a file, derives a filecap, gives the
> filecap to Bob, and then Bob downloads the file. Bob desires to see
> whatever file Alice wanted him to see, and to not rely upon the servers
> or other non-Alice parties to achieve this goal. The attacker (someone
> other than Alice) can give Bob any shares they like. The attacker wins
> if Bob accepts a file which is different than what Alice wanted him to
> see.
> 
> Attack B is where Alice uploads a file, Bob gets the filecap and
> downloads it, Carol gets the same filecap and downloads it, and Carol
> desires to see the same file that Bob saw. (Bob and Carol may be the
> same person at different times, or Bob may have signed a contract
> referencing the filecap and Carol is the judge who later enforces the
> contract). The attackers (who may be Alice and/or other parties) get to
> craft the filecap and the shares however they like. The attackers win if
> Bob and Carol accept different documents.

Just to clarify, attack B only applies to immutable file caps, correct?
If the file cap is mutable then Bob and Carol can have no expectation of
seeing the same file.

> I always get confused about the difference between first-preimage and
> second-preimage, but I think there's a correspondence here.

Attack A is second-preimage (the attacker already has a message/hash pair).
Attack B is collision.

First-preimage would be finding a message that hashes to a given hash,
without having an existing message that hashes to it.

-- 
David-Sarah Hopwood  ⚥  http://davidsarah.livejournal.com



More information about the tahoe-dev mailing list