From 5bb008a2be952d03ba2e16ad31d0b9553bb3d099 Mon Sep 17 00:00:00 2001
From: davidsarah <>
Date: Sun, 11 Oct 2009 15:17:43 +0000
Subject: [PATCH] =?UTF-8?q?note=20attacks=20better=20than=20brute-force=20?=
 =?UTF-8?q?on=20Merkle-Damg=C3=A5rd=20hashes?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

[Imported from Trac: page NewCaps/WhatCouldGoWrong, version 31]
---
 NewCaps/WhatCouldGoWrong.md | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/NewCaps/WhatCouldGoWrong.md b/NewCaps/WhatCouldGoWrong.md
index 889077b..dc3dfc4 100644
--- a/NewCaps/WhatCouldGoWrong.md
+++ b/NewCaps/WhatCouldGoWrong.md
@@ -6,16 +6,16 @@ This is about What Could Go Wrong with the "Elk Point 2" immutable file caps: <h
 |#|*what bad thing could happen*|*how*|*who could do it*|*what could they target*|*what crypto property prevents it*|*how expensive to brute force* [5]footnote|
 |1|shape-shifter immutable file [1]footnote|collide read-cap (*R*,*T*)|creator of a file|their own file|the hash function's and cap format's collision resistance on the read-cap (*R*,*T*). This also depends on the encryption of *K1* being deterministic and correct.|2^(*r*+*t*)/2^|
 |2|unauthorized read|attack the encryption of *K1* with *R*|anyone|any one file|the security of the encryption scheme used for *K1*, and the secrecy of the read-key *R*|2^min(*r*,*k*)^|
-|3|forgery of immutable file|generate a matching read-cap (*R*,*T*) for someone else's file|anyone|any one file|the hash function's and cap format's second-preimage resistance on (*R*,*T*). This also depends on the encryption of *K1* being deterministic and correct.|2^*r*+*t*^|
+|3|forgery of immutable file|generate a matching read-cap (*R*,*T*) for someone else's file|anyone|any one file|the hash function's and cap format's second-preimage resistance on (*R*,*T*). This also depends on the encryption of *K1* being deterministic and correct.|2^*r*+*t*^ [7]footnote|
 |4|roadblock or speedbump [2]footnote|generate (*K1enc*,*Dhash*,*V*) that hash to someone else's *T*, and copy their *S*|anyone [6]footnote|any one file|the hash function's and cap format's second-preimage resistance on *T*|2^*t*^|
 |5|unauthorized read|attack the encryption of the plaintext with *K1*|anyone|any one file|the security of the encryption scheme used for the plaintext, and the secrecy of the encryption key *K1*. The latter also depends on the security and seeding of the RNG that generated it.|2^*k*^|
 |6|unauthorized read|figure out the input to the hash function that generates *S*|anyone|any one file|the hash function's onewayness for (*R*,*T*) -> *S*|brute force on *R* is !#2|
 |7|unauthorized deletion|brute force KD|anyone|any one file|secrecy of *KD*|2^*d*^|
 |8|unauthorized deletion|figure out a working destroy key KD from Dhash|anyone|any one file|the hash function's preimage resistance on *Dhash*|2^min(*d*,*dh*)^|
 |9|denial of service|prevent access to servers holding sufficient shares (by controlling some of them, or by attacking them or the network)|anyone|any file|not prevented by crypto|n/a|
-|10|cause invalid share to verify|generate (*K1enc*,*Dhash*,*V*) that hash to someone else's (*T*,*U*), and copy their *S*|anyone|any one file|the hash function's second-preimage resistance on (*T*,*U*)|2^*t*+*u*^|
+|10|cause invalid share to verify|generate (*K1enc*,*Dhash*,*V*) that hash to someone else's (*T*,*U*), and copy their *S*|anyone|any one file|the hash function's second-preimage resistance on (*T*,*U*)|2^*t*+*u*^ [7]footnote|
 |11|undeletion [3]footnote|restore a deleted file's shares by controlling the relevant servers|anyone|any one file|not prevented by crypto|n/a|
-|12|undeletion [3]footnote|generate matching (*R*,*T*,*U*) for a deleted file|anyone|any one file|the hash function's and cap format's second-preimage resistance on (*R*,*T*,*U*)|2^*r*+*t*+*u*^|
+|12|undeletion [3]footnote|generate matching (*R*,*T*,*U*) for a deleted file|anyone|any one file|the hash function's and cap format's second-preimage resistance on (*R*,*T*,*U*)|2^*r*+*t*+*u*^ [7]footnote|
 |13|accidental collision|storage indices (*S1*,*T1*) and (*S2*,*T2*) collide accidentally|n/a|any two files|approximately random distribution of hash function outputs|[4]footnote|
 
 where *k* = bitlength(*K1*), *r* = bitlength(*R*), *s* = bitlength(*S*), *t* = bitlength(*T*), *u* = bitlength(*U*), *d* = bitlength(*KD*), *dh* = bitlength(*Dhash*).
@@ -34,3 +34,5 @@ where *k* = bitlength(*K1*), *r* = bitlength(*R*), *s* = bitlength(*S*), *t* = b
 5. Brute force costs assume a single-target attack that is expected to succeed with high probability. Costs will be lower for attacking multiple targets or for a lower success probability. (Should we give explicit formulae for this?)
 
 6. *roadblock*/*speedbump* attacks could be restricted to holders of a read cap by use of an extra signature, as in the Elk Point 3 design (diagram at <http://jacaranda.org/tahoe/mutable-addonly-elkpoint-3.svg> for mutable files).
+
+7. On Merkle-Damgård hashes with an internal state that is the same size as the hash output, there are better second-preimage attacks than brute force. See <http://www.schneier.com/paper-preimages.pdf> . This is not significant for roadblock/speedbump attacks because the internal state will be much larger than *t* bits, but it is significant for the other attacks.