tahoe-lafs/trac-2024-07-25
2
0
Issues 1.1k Wiki Activity

correct formula for cost of collision attack !#1 

[Imported from Trac: page NewCaps/WhatCouldGoWrong, version 41]
davidsarah 2009-10-11 16:57:11 +00:00
parent add6842ae1
commit a5462a64e9
1 changed files with 7 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
NewCaps/WhatCouldGoWrong.md

@ -4,7 +4,7 @@ This is about What Could Go Wrong with the "Elk Point 2" immutable file caps: <h
| | | | | | | |
|---|---|---|---|---|---|---|
|#|*what bad thing could happen*|*how*|*who could do it*|*what could they target*|*what crypto property prevents it*|*how expensive to brute force*|
|1|shape-shifter immutable file [1]footnote|collide read-cap (*R*,*T*)|creator of a file|their own file|the hash function's and cap format's collision resistance on the read-cap (*R*,*T*). This also depends on the encryption of *K1* being deterministic and correct.|*p*.2^(*r*+*t*)/2^|
|1|shape-shifter immutable file [1]footnote|collide read-cap (*R*,*T*)|creator of a file|their own file|the hash function's and cap format's collision resistance on the read-cap (*R*,*T*). This also depends on the encryption of *K1* being deterministic and correct.|approx sqrt(2.*p*).2^(*r*+*t*)/2^ [7]footnote|
|2|unauthorized read|attack the encryption of *K1* with *R*|anyone|any one file|the security of the encryption scheme used for *K1*, and the secrecy of the read-key *R*|*p*.2^min(*r*,*k*)^|
|3|forgery of immutable file|generate a matching read-cap (*R*,*T*) for someone else's file|anyone|any one file|the hash function's and cap format's second-preimage resistance on (*R*,*T*). This also depends on the encryption of *K1* being deterministic and correct.|*p*/*N*.2^*r*+*t*^ [5]footnote|
|4|roadblock or speedbump [2]footnote|generate (*K1enc*,*Dhash*,*V*) that hash to someone else's *T*, and copy their *S*|anyone [6]footnote|any one file|the hash function's and cap format's second-preimage resistance on *T*|*p*/*N*.2^*t*^|
@ -21,7 +21,9 @@ where *k* = bitlength(*K1*), *r* = bitlength(*R*), *s* = bitlength(*S*), *t* = b
(The notes to the diagram assume *k* == *r*.)
*p* <= 1 is the success probability of an attack. *N* is the number of targets for preimage attacks; this assumes that the attacker has stored the relevant hashes for *N* files and is content with finding a preimage for any of them.
*p* is the success probability of an attack (0 < *p* <= 1), and *c*(*p*) = sqrt(2.ln(1/(1-*p*))). (For example, *c*(1/2) = 1.18 and *c*(2^-40) = . For small *p*, ln(1/(1-*p*)) approx= *p*.)
*N* is the number of targets for preimage attacks; this assumes that the attacker has stored the relevant hashes for *N* files and is content with finding a preimage for any of them.
1. *shape-shifter immutable file*: creator creates more than one file matching the immutable file readcap
@ -30,8 +32,10 @@ where *k* = bitlength(*K1*), *r* = bitlength(*R*), *s* = bitlength(*S*), *t* = b
3. *undeletion*: attacker makes a deleted file (for which it need not have had a read cap) accessible at its previous storage index, and readable by previous read caps
4. See the probability table at <http://en.wikipedia.org/wiki/Birthday_Paradox> . The effective hash length is approximately min(*s*,*r*)+*t* bits.
4. See the probability table at <http://en.wikipedia.org/wiki/Birthday_Attack> . The effective hash length is approximately min(*s*,*r*)+*t* bits.
5. On Merkle-Damgård hashes with an internal state that is the same size as the hash output (like SHA-256), there are better second-preimage attacks than brute force. See <http://www.schneier.com/paper-preimages.pdf> . The doubled "SHA-256d" construction used by Tahoe does not help here. This is not significant for roadblock/speedbump attacks because the internal state will be much larger than *t* bits, but it is significant for the other second-preimage attacks.
6. *roadblock*/*speedbump* attacks could be restricted to holders of a read cap by use of an extra signature, as in the Elk Point 3 design (diagram at <http://jacaranda.org/tahoe/mutable-addonly-elkpoint-3.svg> for mutable files).
7. The formula given in the Wikipedia Birthday Attack page is sqrt(2.ln(1/(1-*p*))).2^(*r*+*t*)/2^, but the approximation given here is very accurate for small *p*, and can only underestimate the cost. For *p* = 1/2 it underestimates by only a factor of 1.18. For *p* near 1 it underestimates severely; it is very hard for an attacker to be *certain* to find a collision.