[messaging] Bounding hash 2d preimage bits (was Re:...Test Data)

Daniel Kahn Gillmor dkg at fifthhorseman.net
Fri Jul 11 10:46:00 PDT 2014

On 07/11/2014 09:45 AM, Tom Ritter wrote:
> In my mind, a 2^80 attacker is targeting a single key,

Hm, i don't think this is always true.

There are groups of people (and groups of machines) where the attacker
can get value from impersonating any one of them.  For example, a
mid-size hosting company may operate roughly 2^10 servers, each with its
own ssh host key.  With many modern OpenSSH instances, each sshd has 3
or even 4 host keys: dsa, rsa, ecdsa. ed25519; so that's 2^11 or 2^12
target keys you can try to match.

Maybe we don't want to capture this additional attacker advantage in our
model, but if so, we should at least explicitly state it as out of scope.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: OpenPGP digital signature
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20140711/3f3bff7e/attachment.sig>

More information about the Messaging mailing list