[tahoe-dev] Invitation protocol
David-Sarah Hopwood
david-sarah at jacaranda.org
Tue Jun 12 15:59:56 UTC 2012
On 11/06/12 01:15, Brian Warner wrote:
> ## Attacks [against the first protocol]
>
> The best attack is for Mallory to find a pre-image of the public
> ChannelID, allowing her to forge the HMAC and get Bob (and then Alice)
> to accept an alternate msg1. With a 128-bit IC, this attack ought to
> require 2^128 operations. (someone please tell me if I'm wrong.. I
> believe that we care about pre-images rather than collisions, so we
> don't need a 256-bit IC to achieve a 128-bit security level).
Against non-quantum attacks assuming no weakness in HKDF or HMAC:
p * 2^128 / M operations, where p is the success probability and M is
the number of targets.
Increasing the IC to, say, 192 bits, makes low-probability and multi-target
attacks infeasible.
--
David-Sarah Hopwood ⚥
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 554 bytes
Desc: OpenPGP digital signature
URL: <http://tahoe-lafs.org/pipermail/tahoe-dev/attachments/20120612/848ae999/attachment.pgp>
More information about the tahoe-dev
mailing list