[tahoe-dev] how to encrypt and integrity-check with only one value [correction]

Brian Warner warner at lothar.com
Mon Sep 7 17:16:04 PDT 2009


David-Sarah Hopwood wrote:
> 
> Given that for mutable files, a read cap can be a hash of a public key
> that is stored with the signature, it seems like we now have all the
> protocols needed to design new Tahoe URL schemes that are much shorter

How long do we need that hash to be? I'm not clear on the math. If we
want a 128bit security parameter, and we have a 128bit writecap (the
signing key), the DSA verifying key will be 256bits, yeah? Would a
128bit hash of that verifying key be sufficient to maintain our security
level?

One design described on NewMutableEncodingDesign calls for a readcap
that contains a hash of the writecap and a hash of the verifying key. If
we could get away with 128bits for each, we'd have 256bit readcaps (i.e.
2*kappa). I don't know how to get that down to 1*kappa. I'll sit down
and think about how zooko's immutable-file trick could be applied to
mutable files, but I suspect that it would lose offline
writecap-to-readcap attenuation, and I think that's too much of a cost
to bear.

always puzzled,
 -Brian


More information about the tahoe-dev mailing list