[messaging] Bounding hash 2d preimage bits (was Re:...Test Data)

Tom Ritter tom at ritter.vg
Fri Jul 11 06:45:52 PDT 2014


On 10 July 2014 12:29, David Leon Gil <coruus at gmail.com> wrote:
> Michael: Agreed.
>
> All these calculations raise an interesting point: What do we *mean*
> when we say a "2^80 attacker".
>
> If we're assuming an attacker who can, for each key exchange of
> interest, do 2^80 hash evals, this is an attacker that *yearly* does a
> huge amount of computation: Suppose that you need to perform the
> computation in < 2^8 seconds. There are ~ 2^25 seconds per year, so
> the attacker can do 2^97 hash-eval-equivalents per year.

In my mind, a 2^80 attacker is targeting a single key, and trying to
achieve a key whose fingerprint gets as close* to the target
fingerprint as possible. (*Where close is defined according to... the
attacker?)  They will then go use that key in a phishing attack of
some sort.  To create the key, they can perform 2^80 key generation
attempts.

-tom


More information about the Messaging mailing list