[messaging] Hashing entries in a transparency log
jbonneau at gmail.com
Wed Sep 3 18:54:14 PDT 2014
On Wed, Sep 3, 2014 at 2:26 PM, Trevor Perrin <trevp at trevp.net> wrote:
> People would probably reverse most of the addresses,
> so this means the difference between publishing, I dunno, 90% of email
> addresses versus 100%? (though for targeted users - political
> candidates, celebrities, etc, people would tune the searches and have
> a higher success rate.)
A bit more formally stated, after hashing an attacker willing to check X
trial hashes will get Y% of email addresses. By "strengthening" the hash
(multiple iterations, memory-hard functions, etc.) you can try to limit the
value of X for a given attacker.
We have no hard numbers on what the X/Y curve would look like for email
addresses, but based on the distributions of passwords human names which I
studied extensively in my thesis , it's probably safe to say that for X
< 2^30 you would get at least 50% of the email addresses and for 2^40 or
2^50 you'd hit the 90% range.
It would be a fun project to modify a password cracking library to guess
email addresses and see how well you can actually do.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Messaging