From 27a7bd9e48c9257852b08329d8fe6393ebe24055 Mon Sep 17 00:00:00 2001
From: davidsarah <>
Date: Thu, 15 Oct 2009 04:40:28 +0000
Subject: [PATCH] multicollision attacks

[Imported from Trac: page NewCaps/WhatCouldGoWrong, version 45]
---
 NewCaps/WhatCouldGoWrong.md | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/NewCaps/WhatCouldGoWrong.md b/NewCaps/WhatCouldGoWrong.md
index 3902f26..4855df3 100644
--- a/NewCaps/WhatCouldGoWrong.md
+++ b/NewCaps/WhatCouldGoWrong.md
@@ -4,9 +4,9 @@ This is about What Could Go Wrong with the "Elk Point 2" immutable file caps: <h
 | | | | | | | |
 |---|---|---|---|---|---|---|
 |#|*what bad thing could happen*|*how*|*who could do it*|*what could they target*|*what crypto property prevents it*|*how expensive to brute force*|
-|1|shape-shifter immutable file [1]footnote|collide read-cap (*R*,*T*)|creator of a file|their own file|the hash function's and cap format's collision resistance on the read-cap (*R*,*T*). This also depends on the encryption of *K1* being deterministic and correct.|approx sqrt(2.*p*).2^(*r*+*t*)/2^ [7]footnote|
+|1|shape-shifter immutable file [1]footnote|collide read-cap (*R*,*T*)|creator of a file|their own file|the hash function's and cap format's collision resistance on the read-cap (*R*,*T*). This also depends on the encryption of *K1* being deterministic and correct.|approx sqrt(2.*p*).2^(*r*+*t*)/2^ [7,8]footnotes|
 |2|unauthorized read|attack the encryption of *K1* with *R*|anyone|any one file|the security of the encryption scheme used for *K1*, and the secrecy of the read-key *R*|*p*.2^min(*r*,*k*)^|
-|3|forgery of immutable file|generate a matching read-cap (*R*,*T*) for someone else's file|anyone|any one file|the hash function's and cap format's second-preimage resistance on (*R*,*T*). This also depends on the encryption of *K1* being deterministic and correct.|(*p*/*N*).2^*r*+*t*^ [5]footnote|
+|3|forgery of immutable file|generate a matching read-cap (*R*,*T*) for someone else's file|anyone|any one file|the hash function's and cap format's second-preimage resistance on (*R*,*T*). This also depends on the encryption of *K1* being deterministic and correct.|(*p*/*N*).2^*r*+*t*^ [5,8]footnotes|
 |4|roadblock or speedbump [2]footnote|generate (*K1enc*,*Dhash*,*V*) that hash to someone else's *T*, and copy their *S*|anyone [6]footnote|any one file|the hash function's and cap format's second-preimage resistance on *T*|(*p*/*N*).2^*t*^|
 |5|unauthorized read|attack the encryption of the plaintext with *K1*|anyone|any one file|the security of the encryption scheme used for the plaintext, and the secrecy of the encryption key *K1*. The latter also depends on the security and seeding of the RNG that generated it.|*p*.2^*k*^|
 |6|unauthorized read|figure out the input to the hash function that generates *S*|anyone|any one file|the hash function's onewayness for (*R*,*T*) -> *S*|brute force on *R* is !#2|
@@ -37,3 +37,5 @@ where *k* = bitlength(*K1*), *r* = bitlength(*R*), *s* = bitlength(*S*), *t* = b
 6. *roadblock*/*speedbump* attacks could be restricted to holders of a read cap by use of an extra signature, as in the Elk Point 3 design (diagram at <http://jacaranda.org/tahoe/mutable-addonly-elkpoint-3.svg> for mutable files).
 
 7. The formula given in the Wikipedia Birthday Attack page is sqrt(2.ln(1/(1-*p*))).2^(*r*+*t*)/2^, but the approximation given here is very accurate for small *p*, and can only underestimate the cost. For *p* = 1/2 it underestimates by only a factor of 1.18. For *p* near 1 it underestimates severely; it is very hard for an attacker to be *certain* to find a collision.
+
+8. In order for the combined hash with output (*R*,*T*) to have the strength against collision and preimage attacks given here, there must not be multicollision attacks against the hash truncated to *r* bits or to *t* bits that would yield an easier attack on the combined hash. [mailing list article]ref
\ No newline at end of file