Changes between Version 44 and Version 45 of NewCaps/WhatCouldGoWrong


Ignore:
Timestamp:
2009-10-15T04:40:28Z (15 years ago)
Author:
davidsarah
Comment:

multicollision attacks

Legend:

Unmodified
Added
Removed
Modified

  • NewCaps/WhatCouldGoWrong

    v44 v45  
    33
    44||#||''what bad thing could happen''||''how''||''who could do it''||''what could they target''||''what crypto property prevents it''||''how expensive to brute force''||
    5 ||1||shape-shifter immutable file [footnote 1]||collide read-cap (''R'',''T'')||creator of a file||their own file||the hash function's and cap format's collision resistance on the read-cap (''R'',''T''). This also depends on the encryption of ''K1'' being deterministic and correct.||approx sqrt(2.''p'').2^(''r''+''t'')/2^ [footnote 7]||
     5||1||shape-shifter immutable file [footnote 1]||collide read-cap (''R'',''T'')||creator of a file||their own file||the hash function's and cap format's collision resistance on the read-cap (''R'',''T''). This also depends on the encryption of ''K1'' being deterministic and correct.||approx sqrt(2.''p'').2^(''r''+''t'')/2^ [footnotes 7,8]||
    66||2||unauthorized read||attack the encryption of ''K1'' with ''R''||anyone||any one file||the security of the encryption scheme used for ''K1'', and the secrecy of the read-key ''R''||''p''.2^min(''r'',''k'')^||
    7 ||3||forgery of immutable file||generate a matching read-cap (''R'',''T'') for someone else's file||anyone||any one file||the hash function's and cap format's second-preimage resistance on (''R'',''T''). This also depends on the encryption of ''K1'' being deterministic and correct.||(''p''/''N'').2^''r''+''t''^ [footnote 5]||
     7||3||forgery of immutable file||generate a matching read-cap (''R'',''T'') for someone else's file||anyone||any one file||the hash function's and cap format's second-preimage resistance on (''R'',''T''). This also depends on the encryption of ''K1'' being deterministic and correct.||(''p''/''N'').2^''r''+''t''^ [footnotes 5,8]||
    88||4||roadblock or speedbump [footnote 2]||generate (''K1enc'',''Dhash'',''V'') that hash to someone else's ''T'', and copy their ''S''||anyone [footnote 6]||any one file||the hash function's and cap format's second-preimage resistance on ''T''||(''p''/''N'').2^''t''^||
    99||5||unauthorized read||attack the encryption of the plaintext with ''K1''||anyone||any one file||the security of the encryption scheme used for the plaintext, and the secrecy of the encryption key ''K1''. The latter also depends on the security and seeding of the RNG that generated it.||''p''.2^''k''^||
     
    3636
    37377. The formula given in the Wikipedia Birthday Attack page is sqrt(2.ln(1/(1-''p''))).2^(''r''+''t'')/2^, but the approximation given here is very accurate for small ''p'', and can only underestimate the cost. For ''p'' = 1/2 it underestimates by only a factor of 1.18. For ''p'' near 1 it underestimates severely; it is very hard for an attacker to be ''certain'' to find a collision.
     38
     398. In order for the combined hash with output (''R'',''T'') to have the strength against collision and preimage attacks given here, there must not be multicollision attacks against the hash truncated to ''r'' bits or to ''t'' bits that would yield an easier attack on the combined hash. [ref mailing list article]