[messaging] Bounding hash 2d preimage bits (was Re:...Test Data)
David Leon Gil
coruus at gmail.com
Thu Jul 10 09:29:47 PDT 2014
All these calculations raise an interesting point: What do we *mean*
when we say a "2^80 attacker".
If we're assuming an attacker who can, for each key exchange of
interest, do 2^80 hash evals, this is an attacker that *yearly* does a
huge amount of computation: Suppose that you need to perform the
computation in < 2^8 seconds. There are ~ 2^25 seconds per year, so
the attacker can do 2^97 hash-eval-equivalents per year.
Is this realistic?
Looking very quickly at Bitcoin (which I know fairly little about, so
take calculations with a grain of salt):
Right now log2(probability of solving a block) is ~ -66. The
difficulty is set so that blocks are found every 600 seconds. This
gives ~ 2^57 hashes per second, and thus 2^82 hashes per
Does anyone have an estimate of the total cost of "mining" equipment
in use? (An upper bound for computational effort would then be
cost-per-hash * NSA's budget + Moore's law.)
(And does anyone know the comparable numbers for Litecoin, which uses
scrypt? Buying scrypt ASICs in bulk, the cost is $9 per chip. Each
chip does 2^20 scrypt[params=?] evals per second.)
[^bitops]: Btw, quick estimate is that SHA2-256 requires about 2^15
bitops, in the sense of djb's papers (if not optimized for partial
evaluation). So Bitcoin is doing perhaps 2^97 bitops per year. (This
makes 2^112 strength elliptic curves look rather dicey...)
On Wed, Jul 9, 2014 at 9:08 AM, Michael Rogers <michael at briarproject.org> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> On 03/07/14 14:38, Tom Ritter wrote:
>> The odds of an attacker matching (at least) X bits of a 126-bit
>> fingerprint is given by the probability density function of
>> binomial distribution:
> Take the pdf from that and plug it into a sum from (say) 80..126 -
>> that's the probability of matching at least 80 bits in a single
>> generation: .00156280. Plug that probability into a binomial
>> distribution with 2^15 (yes, 2^15 not 2^80) trials and you get an
>> 'at least one sucess' rate of near 100%. Which makes sense. An
>> attacker who can run 2^15 trials can match 80 of 126 bits pretty
>> easily. (You match 63 on average in a single trial).
> I think you're right that the binomial distribution is the tool to use
> here, but there's another way we can use it.
> The probability of matching exactly x of 128 bits in a single attempt
> is P(X = x) = 2.93874 * 10^-39 * binomial(128, x). We can take the sum
> from x = b..128 to find the probability of matching at least b bits in
> a single attempt, P(X >= b) = sum(x = b..128, P(X = x)).
> Now, the attacker has 2^80 independent attempts. So we're looking for
> the value of b that makes P(X >= b) = 1/2^80. Or, since there's
> unlikely to be an integer value of b that's exactly right, we're
> looking for the highest value of b that makes P(X >= b) >= 1/2^80.
> By trial and error, that's b = 117.
>> But what about _specific_ bits instead of _any_ bits.
>> What are the odds of any single random fingerprint generation
>> matching the first 9 and last 9 bits of a 126-bit fingerprint?
>> This is not a binomial distribution, it's just a straight .5^18, or
>> 1/262144. The odds that an attacker who can generate 2^15 (again
>> not 2^80, but 2^15) fingerprints will hit the 9+9 match is
> I'd love to ratchet that up to 2^80, but again, it breaks WA. =(
> Fortunately, I don't think we need the binomial distribution for this
> case. As you say, the probability of each attempt matching b specific
> bits is simply 1/2^b, so a 2^80 attacker can expect to match 80
> specific bits. Half the remaining bits will also match, on average.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.12 (GNU/Linux)
> -----END PGP SIGNATURE-----
> Messaging mailing list
> Messaging at moderncrypto.org
More information about the Messaging