cost of brute-force multi-target preimage attacks can't be reduced to less than a collision attack

[Imported from Trac: page NewCaps/WhatCouldGoWrong, version 54]
2009-11-21 20:35:07 +00:00 · 2009-11-21 20:35:07 +00:00 · b4953091d2
parent f8ab6c4eeb
commit b4953091d2
1 changed files with 1 additions and 1 deletions
--- a/NewCaps/WhatCouldGoWrong.md
+++ b/NewCaps/WhatCouldGoWrong.md
@ -23,7 +23,7 @@ where *k* = bitlength(*K1*), *r* = bitlength(*R*), *s* = bitlength(*S*), *t* = b

 (The notes to the diagram assume *k* == *r*.)

-*p* is the success probability of an attack (0 < *p* <= 1). *N* is the number of targets for preimage attacks; this assumes that the attacker has stored the relevant hashes for *N* files and is content with finding a preimage for any of them.
+*p* is the success probability of an attack (0 < *p* <= 1). *N* is the number of targets for preimage attacks; this assumes that the attacker has stored the relevant hashes for *N* files and is content with finding a preimage for any of them. Note that since the attacker must also expend work to obtain each target hash, the cost of brute force cannot be reduced below a "square root" attack. For example, the work to forge an immutable file (attack !#3) by brute force cannot be reduced to less than sqrt(*p*).2^(*r*+*t*)/2^ (roughly the same work as a collision attack), no matter how many targets are available.


 1. *shape-shifter immutable file*: creator creates more than one file matching the immutable file readcap