# [messaging] Test Data for the Usability Study

Michael Rogers michael at briarproject.org
Mon May 26 02:55:20 PDT 2014

```-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 26/05/14 01:15, Tom Ritter wrote:
> Third: Figure out how to approximate an attacker who can perform
> 2^80 calculations in the 'weird' cases.  For a 32-character hex
> fingerprint, a 2^80 attacker can match 20 characters.
>
> Weird Case 1: An attacker matches the beginning and end parts of
> the fingerprint to try and trick someone doing a visual compare.
> Clearly, matching the beginning and ending 10 characters exactly is
> harder than matching any 20. but how much harder? Would a match of
> the beginning and ending 8 characters correctly characterize a 2^80
> attacker?

As I've mentioned before, I don't think we can make a fair comparison
of 'weird' attacks across fingerprint representations.

Having said that... a 2^80 attacker can match 20 characters at chosen
positions. I don't know how to calculate how many characters a 2^80
attacker could match at unchosen positions, but it seems to me that it
would depend on the number of positions, i.e. the length of the
fingerprint.

> Weird Case 2: An attacker tries the match the fingerprint by
> pronunciation to try and trick someone doing a vocal compare.
> Again, matching 20 characters exactly and making the remaining 12
> 'sound alike' is harder than just matching 20. Would an attacker
> getting 28 characters to 'sound alike' and have the rest match
> exactly approximate a 2^80 attack?

We don't even have a metric for 'sound alike', so this question isn't
well-founded.

Cheers,
Michael
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBCAAGBQJTgw+IAAoJEBEET9GfxSfMF08H+wWrntqdVbKp34QbtcQoGe4W
uCKggnCp1rJvWqcJ8V/FaOpOqvneXPL1ttl4TWn+hA1p+7tObz8R9gQDrtdqrdrH
9E4tOSLrCtGpGL9p8kAGfEHIzoXi4lTZO6dLiolI6VR7KgiKjHsBA61wWpYtfVyK
i7vL/k7H+vi1HqnfwptRNet9gzC5bFZauSnMp+/Zc/pYd5ucQpbABBA+8vETaC7R
IeX1fQChREgxVD2UURclr2EqLHBSVbSxtGeKtHuENkyI8VljwKYJe3mMmnkMhsLS
hdnOjjKN8lYSCSh7maxWfIPSqfchC9FmOUDq+6qhhVOxaSC/QvIhTidsGRpq074=
=UIW+
-----END PGP SIGNATURE-----
```