From 0009349ca09527b9939c6cee3b7781be3a7ab09c Mon Sep 17 00:00:00 2001
From: davidsarah <>
Date: Sun, 11 Oct 2009 15:30:38 +0000
Subject: [PATCH] SHA-256d does not help for attacks in footnote 7

[Imported from Trac: page NewCaps/WhatCouldGoWrong, version 34]
---
 NewCaps/WhatCouldGoWrong.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/NewCaps/WhatCouldGoWrong.md b/NewCaps/WhatCouldGoWrong.md
index 58784e8..be4f46e 100644
--- a/NewCaps/WhatCouldGoWrong.md
+++ b/NewCaps/WhatCouldGoWrong.md
@@ -35,4 +35,4 @@ where *k* = bitlength(*K1*), *r* = bitlength(*R*), *s* = bitlength(*S*), *t* = b
 
 6. *roadblock*/*speedbump* attacks could be restricted to holders of a read cap by use of an extra signature, as in the Elk Point 3 design (diagram at <http://jacaranda.org/tahoe/mutable-addonly-elkpoint-3.svg> for mutable files).
 
-7. On Merkle-Damgård hashes with an internal state that is the same size as the hash output (like SHA-256), there are better second-preimage attacks than brute force. See <http://www.schneier.com/paper-preimages.pdf> . This is not significant for roadblock/speedbump attacks because the internal state will be much larger than *t* bits, but it is significant for the other second-preimage attacks.
+7. On Merkle-Damgård hashes with an internal state that is the same size as the hash output (like SHA-256), there are better second-preimage attacks than brute force. See <http://www.schneier.com/paper-preimages.pdf> . The doubled "SHA-256d" construction used by Tahoe does not help here. This is not significant for roadblock/speedbump attacks because the internal state will be much larger than *t* bits, but it is significant for the other second-preimage attacks.