[messaging] Bounding hash 2d preimage bits (was Re:...Test Data)

Joseph Bonneau jbonneau at gmail.com
Wed Jul 23 17:09:29 PDT 2014

On Wed, Jul 23, 2014 at 1:10 PM, Trevor Perrin <trevp at trevp.net> wrote:
> That's a good idea, spending several extra seconds during key
> generation may well be worth a fingerprint that's smaller by
> 20-something bits.
> There's a few obvious twists on this:
> 2) Encode x into the fingerprint itself, e.g. use the first 4 bits to
> encode the count of zero bytes, allowing for a "scaleable" security
> level.

Sounds like a potentially bad idea for usability-can't the attacker can
just set their fingerprint to have no zero bytes? A user doing the
comparison will probably ignore some extra junk in the middle. This is why
I was thinking the system needs to impose a universal minimum.

> 3) Instead of searching for a prefix of zero bytes, search for a
> fingerprint with a high value in some useability metric.  E.g., my
> "base32 pseudoword" format searches for a base32 fingerprint with high
> vowel-consonant alternation, which I think makes compact but
> pronounceable fingerprints, e.g.

The idea of pronounceable fingerprints sounds nice, but I would advocate
separating the work added to make brute-force expensive from the work
required by some more complicated hash algorithm which makes pronounceable
fingerprints. Intertwining them sounds like poor engineering for the same
reason depending on the difficulty of public key generation itself to slow
down fingerprint searching is.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20140723/14b19ea5/attachment.html>

More information about the Messaging mailing list