[messaging] Question regarding Whatsapp/Signal Safety Numbers

Nadim Kobeissi nadim at nadim.computer
Thu Sep 28 03:28:38 PDT 2017

While it’s true that having an input value smaller than the hash length should, in theory, totally rule out collisions, is it really the case that a 400-bit input would constitute a realistic collision danger on modern hash functions with a 256-bit output hash length (to the extent of doubling the work a user has to do to authenticate?)

I’m not an expert on hash functions, maybe someone like Jean-Philippe Aumasson should be answering this.

Sent from my computer

> On 27 Sep 2017, at 8:10 PM, Trevor Perrin <trevp at trevp.net> wrote:
> On Wed, Sep 27, 2017 at 6:01 PM, Vincent Breitmoser
> <look at my.amazin.horse> wrote:
>> Simply hashing all of the public keys and user ids together into one
>> Alice+Bob-specific safety number has none of these problems, yielding
>> the same 100 bits preimage attack scenario, in only half the digits.
> Hi Vincent,
> If you hash everything together you have to worry about
> collision-resistance, so you still need a similar-sized value (e.g.
> 200 bits).
> So that doesn't reduce the size, but that does lose the ability to
> extract out individual "fingerprints" from the safety number halves.
> Trevor
> _______________________________________________
> Messaging mailing list
> Messaging at moderncrypto.org
> https://moderncrypto.org/mailman/listinfo/messaging

More information about the Messaging mailing list