[tahoe-dev] how to encrypt and integrity-check with only one value [correction]
Zooko Wilcox-O'Hearn
zooko at zooko.com
Mon Sep 7 19:48:47 PDT 2009
On Monday,2009-09-07, at 18:16 , Brian Warner wrote:
> How long do we need that hash to be? I'm not clear on the math. If
> we want a 128bit security parameter, and we have a 128bit writecap
> (the signing key), the DSA verifying key will be 256bits, yeah?
> Would a 128bit hash of that verifying key be sufficient to maintain
> our security level?
For mutable files we need only second-pre-image-resistance (i.e.
someone who does *not* have the write-cap can't come up with a
verification string that collides with a legit one), which means we
need only 128-bits of hash output. For immutable files we need
collision-resistance (i.e. even the original uploader can't come up
with a colliding pair of verification strings), which means we need
256-bits of hash output.
Regards,
Zooko
More information about the tahoe-dev
mailing list