Changes between Version 36 and Version 37 of NewCaps/WhatCouldGoWrong

Timestamp:

2009-10-11T16:05:58Z (15 years ago)

Author:

davidsarah

Comment:

footnote 5 no longer applicable; remove and renumber

NewCaps/WhatCouldGoWrong

@@ -2 +2 @@
 (http://zooko.com/immutable-elkpoint-2.png if your browser does not correctly handle SVG.)
 
-||#||''what bad thing could happen''||''how''||''who could do it''||''what could they target''||''what crypto property prevents it''||''how expensive to brute force'' [footnote 5]||
+||#||''what bad thing could happen''||''how''||''who could do it''||''what could they target''||''what crypto property prevents it''||''how expensive to brute force''||
 ||1||shape-shifter immutable file [footnote 1]||collide read-cap (''R'',''T'')||creator of a file||their own file||the hash function's and cap format's collision resistance on the read-cap (''R'',''T''). This also depends on the encryption of ''K1'' being deterministic and correct.||''p''.2^(''r''+''t'')/2^||
 ||2||unauthorized read||attack the encryption of ''K1'' with ''R''||anyone||any one file||the security of the encryption scheme used for ''K1'', and the secrecy of the read-key ''R''||''p''.2^min(''r'',''k'')^||
-||3||forgery of immutable file||generate a matching read-cap (''R'',''T'') for someone else's file||anyone||any one file||the hash function's and cap format's second-preimage resistance on (''R'',''T''). This also depends on the encryption of ''K1'' being deterministic and correct.||''p''/''N''.2^''r''+''t''^ [footnote 7]||
+||3||forgery of immutable file||generate a matching read-cap (''R'',''T'') for someone else's file||anyone||any one file||the hash function's and cap format's second-preimage resistance on (''R'',''T''). This also depends on the encryption of ''K1'' being deterministic and correct.||''p''/''N''.2^''r''+''t''^ [footnote 5]||
 ||4||roadblock or speedbump [footnote 2]||generate (''K1enc'',''Dhash'',''V'') that hash to someone else's ''T'', and copy their ''S''||anyone [footnote 6]||any one file||the hash function's and cap format's second-preimage resistance on ''T''||''p''/''N''.2^''t''^||
 ||5||unauthorized read||attack the encryption of the plaintext with ''K1''||anyone||any one file||the security of the encryption scheme used for the plaintext, and the secrecy of the encryption key ''K1''. The latter also depends on the security and seeding of the RNG that generated it.||''p''.2^''k''^||
@@ -12 +12 @@
 ||8||unauthorized deletion||figure out a working destroy key KD from Dhash||anyone||any one file||the hash function's preimage resistance on ''Dhash''||''p''/''N''.2^min(''d'',''dh'')^||
 ||9||denial of service||prevent access to servers holding sufficient shares (by controlling some of them, or by attacking them or the network)||anyone||any file||not prevented by crypto||not applicable||
-||10||cause invalid share to verify||generate (''K1enc'',''Dhash'',''V'') that hash to someone else's (''T'',''U''), and copy their ''S''||anyone||any one file||the hash function's second-preimage resistance on (''T'',''U'')||''p''/''N''.2^''t''+''u''^ [footnote 7]||
+||10||cause invalid share to verify||generate (''K1enc'',''Dhash'',''V'') that hash to someone else's (''T'',''U''), and copy their ''S''||anyone||any one file||the hash function's second-preimage resistance on (''T'',''U'')||''p''/''N''.2^''t''+''u''^ [footnote 5]||
 ||11||undeletion [footnote 3]||restore a deleted file's shares by controlling the relevant servers||anyone||any one file||not prevented by crypto||not applicable||
-||12||undeletion [footnote 3]||generate matching (''R'',''T'',''U'') for a deleted file||anyone||any one file||the hash function's and cap format's second-preimage resistance on (''R'',''T'',''U'')||''p''/''N''.2^''r''+''t''+''u''^ [footnote 7]||
+||12||undeletion [footnote 3]||generate matching (''R'',''T'',''U'') for a deleted file||anyone||any one file||the hash function's and cap format's second-preimage resistance on (''R'',''T'',''U'')||''p''/''N''.2^''r''+''t''+''u''^ [footnote 5]||
 ||13||accidental collision||storage indices (''S1'',''T1'') and (''S2'',''T2'') collide accidentally||not applicable||any two files||approximately random distribution of hash function outputs||[footnote 4]||
 
@@ -32 +32 @@
 4. See the probability table at http://en.wikipedia.org/wiki/Birthday_Paradox . The effective hash length is approximately min(''s'',''r'')+''t'' bits.
 
-5. Brute force costs assume a single-target attack that is expected to succeed with high probability. Costs will be lower for attacking multiple targets or for a lower success probability. (Should we give explicit formulae for this?)
+5. On Merkle-Damgård hashes with an internal state that is the same size as the hash output (like SHA-256), there are better second-preimage attacks than brute force. See http://www.schneier.com/paper-preimages.pdf . The doubled "SHA-256d" construction used by Tahoe does not help here. This is not significant for roadblock/speedbump attacks because the internal state will be much larger than ''t'' bits, but it is significant for the other second-preimage attacks.
 
 6. ''roadblock''/''speedbump'' attacks could be restricted to holders of a read cap by use of an extra signature, as in the Elk Point 3 design (diagram at http://jacaranda.org/tahoe/mutable-addonly-elkpoint-3.svg for mutable files).
-
-7. On Merkle-Damgård hashes with an internal state that is the same size as the hash output (like SHA-256), there are better second-preimage attacks than brute force. See http://www.schneier.com/paper-preimages.pdf . The doubled "SHA-256d" construction used by Tahoe does not help here. This is not significant for roadblock/speedbump attacks because the internal state will be much larger than ''t'' bits, but it is significant for the other second-preimage attacks.