From 0378a294ba63aebeb9df2b4247a99ded2a73daec Mon Sep 17 00:00:00 2001 From: zooko <> Date: Wed, 20 Jun 2012 14:41:59 +0000 Subject: [PATCH] change self-link [Imported from Trac: page NewCaps/Rainhill, version 5] --- NewCaps/Rainhill.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/NewCaps/Rainhill.md b/NewCaps/Rainhill.md index 73f465f..32726d6 100644 --- a/NewCaps/Rainhill.md +++ b/NewCaps/Rainhill.md @@ -31,6 +31,6 @@ where *k* = bitlength(*K_**), *r* = bitlength(*R*), *s* = bitlength(*S*) = bitle 4. The formula given in the Wikipedia Birthday Attack page is sqrt(2.ln(1/(1-*p*))).2^(*r*+*t*)/2^, but the approximation given here is very accurate for small *p*, and can only underestimate the cost. For *p* = 1/2 it underestimates by only a factor of 1.18. For *p* near 1 it underestimates severely; it is very hard for an attacker to be *certain* to find a collision. -5. In order for the combined hash with output (*R*,*T*) to have the strength against collision and preimage attacks given here, there must not be multicollision attacks against the hash truncated to *r* bits or to *t* bits, that would yield an easier attack on the combined hash. See . +5. In order for the combined hash with output (*R*,*T*) to have the strength against collision and preimage attacks given here, there must not be multicollision attacks against the hash truncated to *r* bits or to *t* bits, that would yield an easier attack on the combined hash. See [//pipermail/tahoe-dev/2009-October/003006.html tahoe-dev/2009-October/003006.html]. 6. The estimates given here are in terms of work factor, i.e. they are products of machine size and attack time. See [this paper by Dan Bernstein](http://cr.yp.to/snuffle/bruteforce-20050425.pdf) for discussion of parallel brute-force attacks, including attacks against multiple keys at once.