add URL for post about multicollision attacks

[Imported from Trac: page NewCaps/WhatCouldGoWrong, version 46]
2009-10-15 05:04:33 +00:00 · 2009-10-15 05:04:33 +00:00 · dbbbca1786
parent 27a7bd9e48
commit dbbbca1786
1 changed files with 1 additions and 1 deletions
--- a/NewCaps/WhatCouldGoWrong.md
+++ b/NewCaps/WhatCouldGoWrong.md
@ -38,4 +38,4 @@ where *k* = bitlength(*K1*), *r* = bitlength(*R*), *s* = bitlength(*S*), *t* = b

 7. The formula given in the Wikipedia Birthday Attack page is sqrt(2.ln(1/(1-*p*))).2^(*r*+*t*)/2^, but the approximation given here is very accurate for small *p*, and can only underestimate the cost. For *p* = 1/2 it underestimates by only a factor of 1.18. For *p* near 1 it underestimates severely; it is very hard for an attacker to be *certain* to find a collision.

-8. In order for the combined hash with output (*R*,*T*) to have the strength against collision and preimage attacks given here, there must not be multicollision attacks against the hash truncated to *r* bits or to *t* bits that would yield an easier attack on the combined hash. [mailing list article]ref
+8. In order for the combined hash with output (*R*,*T*) to have the strength against collision and preimage attacks given here, there must not be multicollision attacks against the hash truncated to *r* bits or to *t* bits, that would yield an easier attack on the combined hash. See <http://allmydata.org/pipermail/tahoe-dev/2009-October/003006.html> .