[messaging] Test Data for the Usability Study

Michael Rogers michael at briarproject.org
Tue May 27 06:08:15 PDT 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Thanks for the correction - I didn't know there was a concept of edit
distance for pronounciation.

Nevertheless, we still don't have a way to compare the noticeability
of modifications across representations. How much phonic edit distance
is equivalent to, say, the difference between modifying a character at
the start of a fingerprint and modifying a character in the middle?

It seems to me that the only credible way to answer such questions is
empirically. We should start by making random modifications to the
data to be compared, and measuring the error rate (false positives and
false negatives) for each representation. Then we can come up with
some hypotheses for which modifications are more or less noticeable
for each representation, and test them against the data.

*Then* we may be able to say that this modification to this
representation is equally as noticeable as that modification to that
representation - and if so, we can then ask which representation
offers the most noticeability given an adversary with a computational
budget for making least-noticeable modifications.

Trying to guess which modifications will be least noticeable for each
representation before we have any data is trying to run before we can
walk, in my always humble opinion. ;-)

Cheers,
Michael

On 26/05/14 11:12, Christine Corbett Moran wrote:
> Actually we can have a metric for "sound alike"
> 
> it's a bit hackish but a simple pass would be to use nltk here's an
> example gist out there on getting pronunciation 
> https://gist.github.com/ConstantineLignos/1219749
> 
> two words "sound alike" if they have some specified edit distance 
> between their two pronunciations. e.g. one phone apart, or some
> more complicated measure.
> 
> C
> 
> 
> On Mon, May 26, 2014 at 11:55 AM, Michael Rogers 
> <michael at briarproject.org <mailto:michael at briarproject.org>>
> wrote:
> 
> On 26/05/14 01:15, Tom Ritter wrote:
>> Third: Figure out how to approximate an attacker who can perform 
>> 2^80 calculations in the 'weird' cases.  For a 32-character hex 
>> fingerprint, a 2^80 attacker can match 20 characters.
> 
>> Weird Case 1: An attacker matches the beginning and end parts of 
>> the fingerprint to try and trick someone doing a visual compare. 
>> Clearly, matching the beginning and ending 10 characters exactly
>> is harder than matching any 20. but how much harder? Would a
>> match of the beginning and ending 8 characters correctly
>> characterize a 2^80 attacker?
> 
> As I've mentioned before, I don't think we can make a fair
> comparison of 'weird' attacks across fingerprint representations.
> 
> Having said that... a 2^80 attacker can match 20 characters at
> chosen positions. I don't know how to calculate how many characters
> a 2^80 attacker could match at unchosen positions, but it seems to
> me that it would depend on the number of positions, i.e. the length
> of the fingerprint.
> 
>> Weird Case 2: An attacker tries the match the fingerprint by 
>> pronunciation to try and trick someone doing a vocal compare. 
>> Again, matching 20 characters exactly and making the remaining
>> 12 'sound alike' is harder than just matching 20. Would an
>> attacker getting 28 characters to 'sound alike' and have the rest
>> match exactly approximate a 2^80 attack?
> 
> We don't even have a metric for 'sound alike', so this question
> isn't well-founded.
> 
> Cheers, Michael _______________________________________________ 
> Messaging mailing list Messaging at moderncrypto.org
> <mailto:Messaging at moderncrypto.org> 
> https://moderncrypto.org/mailman/listinfo/messaging
> 
> 
> 
> 
> -- Christine Corbett Moran christine.corbett at gmail.com
> <mailto:christine.corbett at gmail.com> Physics @ ICS.uzh.ch
> <http://ICS.uzh.ch> // Zurich: +41 79 962 4499 Dev @
> http://circleof6app.com // Boston: +1 (617) 398-0452 Dev @
> https://whispersystems.org // SF: +1 (415) 670 9629 
> www.christinecorbettmoran.com
> <http://www.christinecorbettmoran.com/>
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBCAAGBQJThI4/AAoJEBEET9GfxSfMwj0H/iLAxsPk6AS9gse3dQx+1c+N
cAieLME58d63QjklQgVr67l9nMFSsJkSci3WelzJluJuf8xcFX+v/2X2nrWuZzfW
ALm4AQLM5mKlKCEyhGlFOHFgN5X03NXN8PriSsQpJuytfiWQnt/2gpSpWcNUkvNY
pkjOqvbC5t8xVEGudkoreNw53L+//JMcNjNFOWrX5qNQdawdWqZc6PXq1+0nFd1d
31uFGus2taxka34v6YM/8vzhhzsJMze58RRna+S+kui1MnBCJi3q43vYCVUMuCAw
4AqhfZZMw/BJn3JQHKZAuVzjXUh8IxFtL0NwC7Xv84sL2nVkeBh4iY13b6udFvk=
=THuh
-----END PGP SIGNATURE-----


More information about the Messaging mailing list