[messaging] Question regarding Whatsapp/Signal Safety Numbers
Nadim Kobeissi
nadim at nadim.computer
Thu Sep 28 03:28:38 PDT 2017
While it’s true that having an input value smaller than the hash length should, in theory, totally rule out collisions, is it really the case that a 400-bit input would constitute a realistic collision danger on modern hash functions with a 256-bit output hash length (to the extent of doubling the work a user has to do to authenticate?)
I’m not an expert on hash functions, maybe someone like Jean-Philippe Aumasson should be answering this.
Nadim
Sent from my computer
> On 27 Sep 2017, at 8:10 PM, Trevor Perrin <trevp at trevp.net> wrote:
>
> On Wed, Sep 27, 2017 at 6:01 PM, Vincent Breitmoser
> <look at my.amazin.horse> wrote:
>>
>> Simply hashing all of the public keys and user ids together into one
>> Alice+Bob-specific safety number has none of these problems, yielding
>> the same 100 bits preimage attack scenario, in only half the digits.
>
> Hi Vincent,
>
> If you hash everything together you have to worry about
> collision-resistance, so you still need a similar-sized value (e.g.
> 200 bits).
>
> So that doesn't reduce the size, but that does lose the ability to
> extract out individual "fingerprints" from the safety number halves.
>
> Trevor
> _______________________________________________
> Messaging mailing list
> Messaging at moderncrypto.org
> https://moderncrypto.org/mailman/listinfo/messaging
More information about the Messaging
mailing list