From b4953091d20f0b25752a16ebe0aebaab5eccaee6 Mon Sep 17 00:00:00 2001
From: davidsarah <>
Date: Sat, 21 Nov 2009 20:35:07 +0000
Subject: [PATCH] cost of brute-force multi-target preimage attacks can't be
 reduced to less than a collision attack

[Imported from Trac: page NewCaps/WhatCouldGoWrong, version 54]
---
 NewCaps/WhatCouldGoWrong.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/NewCaps/WhatCouldGoWrong.md b/NewCaps/WhatCouldGoWrong.md
index 3707a2c..cfc5b9f 100644
--- a/NewCaps/WhatCouldGoWrong.md
+++ b/NewCaps/WhatCouldGoWrong.md
@@ -23,7 +23,7 @@ where *k* = bitlength(*K1*), *r* = bitlength(*R*), *s* = bitlength(*S*), *t* = b
 
 (The notes to the diagram assume *k* == *r*.)
 
-*p* is the success probability of an attack (0 < *p* <= 1). *N* is the number of targets for preimage attacks; this assumes that the attacker has stored the relevant hashes for *N* files and is content with finding a preimage for any of them.
+*p* is the success probability of an attack (0 < *p* <= 1). *N* is the number of targets for preimage attacks; this assumes that the attacker has stored the relevant hashes for *N* files and is content with finding a preimage for any of them. Note that since the attacker must also expend work to obtain each target hash, the cost of brute force cannot be reduced below a "square root" attack. For example, the work to forge an immutable file (attack !#3) by brute force cannot be reduced to less than sqrt(*p*).2^(*r*+*t*)/2^ (roughly the same work as a collision attack), no matter how many targets are available.
 
 
 1. *shape-shifter immutable file*: creator creates more than one file matching the immutable file readcap