change self-link

[Imported from Trac: page NewCaps/Rainhill, version 5]
2012-06-20 14:41:59 +00:00 · 2012-06-20 14:41:59 +00:00 · 0378a294ba
parent 1a9b70df38
commit 0378a294ba
1 changed files with 1 additions and 1 deletions
--- a/NewCaps/Rainhill.md
+++ b/NewCaps/Rainhill.md
@ -31,6 +31,6 @@ where *k* = bitlength(*K_**), *r* = bitlength(*R*), *s* = bitlength(*S*) = bitle

 4. The formula given in the Wikipedia Birthday Attack page is sqrt(2.ln(1/(1-*p*))).2^(*r*+*t*)/2^, but the approximation given here is very accurate for small *p*, and can only underestimate the cost. For *p* = 1/2 it underestimates by only a factor of 1.18. For *p* near 1 it underestimates severely; it is very hard for an attacker to be *certain* to find a collision.

-5. In order for the combined hash with output (*R*,*T*) to have the strength against collision and preimage attacks given here, there must not be multicollision attacks against the hash truncated to *r* bits or to *t* bits, that would yield an easier attack on the combined hash. See <http://allmydata.org/pipermail/tahoe-dev/2009-October/003006.html> .
+5. In order for the combined hash with output (*R*,*T*) to have the strength against collision and preimage attacks given here, there must not be multicollision attacks against the hash truncated to *r* bits or to *t* bits, that would yield an easier attack on the combined hash. See [//pipermail/tahoe-dev/2009-October/003006.html tahoe-dev/2009-October/003006.html].

 6. The estimates given here are in terms of work factor, i.e. they are products of machine size and attack time. See [this paper by Dan Bernstein](http://cr.yp.to/snuffle/bruteforce-20050425.pdf) for discussion of parallel brute-force attacks, including attacks against multiple keys at once.