From b0eca537019bd04f60c83f805e276f8adba0e226 Mon Sep 17 00:00:00 2001 From: zooko <> Date: Mon, 14 Jan 2013 02:27:59 +0000 Subject: [PATCH] https, when available [Imported from Trac: page NewCaps/WhatCouldGoWrong, version 58] --- NewCaps/WhatCouldGoWrong.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/NewCaps/WhatCouldGoWrong.md b/NewCaps/WhatCouldGoWrong.md index 0474317..f2e92b2 100644 --- a/NewCaps/WhatCouldGoWrong.md +++ b/NewCaps/WhatCouldGoWrong.md @@ -32,9 +32,9 @@ where *k* = bitlength(*K1*), *r* = bitlength(*R*), *s* = bitlength(*S*), *t* = b 3. *undeletion*: attacker makes a deleted file (for which it need not have had a read cap) accessible at its previous storage index, and readable by previous read caps -4. See the probability table at . The effective hash length is approximately min(*s*,*r*)+*t* bits. +4. See the probability table at . The effective hash length is approximately min(*s*,*r*)+*t* bits. -5. On Merkle-Damgård hashes with an internal state that is the same size as the hash output (like SHA-256), there are better second-preimage attacks than brute force. See . The doubled "SHA-256d" construction used by Tahoe does not help here. This is not significant for roadblock/speedbump attacks because the internal state will be much larger than *t* bits, but it is significant for the other second-preimage attacks. +5. On Merkle-Damgård hashes with an internal state that is the same size as the hash output (like SHA-256), there are better second-preimage attacks than brute force. See . The doubled "SHA-256d" construction used by Tahoe does not help here. This is not significant for roadblock/speedbump attacks because the internal state will be much larger than *t* bits, but it is significant for the other second-preimage attacks. 6. *roadblock*/*speedbump* attacks could be restricted to holders of a read cap by use of an extra signature, as in the Elk Point 3 design (diagram at for mutable files).