From dbbbca178680fd668edda3141f90b86232b648f3 Mon Sep 17 00:00:00 2001
From: davidsarah <>
Date: Thu, 15 Oct 2009 05:04:33 +0000
Subject: [PATCH] add URL for post about multicollision attacks

[Imported from Trac: page NewCaps/WhatCouldGoWrong, version 46]
---
 NewCaps/WhatCouldGoWrong.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/NewCaps/WhatCouldGoWrong.md b/NewCaps/WhatCouldGoWrong.md
index 4855df3..063943f 100644
--- a/NewCaps/WhatCouldGoWrong.md
+++ b/NewCaps/WhatCouldGoWrong.md
@@ -38,4 +38,4 @@ where *k* = bitlength(*K1*), *r* = bitlength(*R*), *s* = bitlength(*S*), *t* = b
 
 7. The formula given in the Wikipedia Birthday Attack page is sqrt(2.ln(1/(1-*p*))).2^(*r*+*t*)/2^, but the approximation given here is very accurate for small *p*, and can only underestimate the cost. For *p* = 1/2 it underestimates by only a factor of 1.18. For *p* near 1 it underestimates severely; it is very hard for an attacker to be *certain* to find a collision.
 
-8. In order for the combined hash with output (*R*,*T*) to have the strength against collision and preimage attacks given here, there must not be multicollision attacks against the hash truncated to *r* bits or to *t* bits that would yield an easier attack on the combined hash. [mailing list article]ref
\ No newline at end of file
+8. In order for the combined hash with output (*R*,*T*) to have the strength against collision and preimage attacks given here, there must not be multicollision attacks against the hash truncated to *r* bits or to *t* bits, that would yield an easier attack on the combined hash. See <http://allmydata.org/pipermail/tahoe-dev/2009-October/003006.html> .
\ No newline at end of file