[messaging] Question regarding Whatsapp/Signal Safety Numbers

Michael Rogers michael at briarproject.org
Thu Sep 28 04:24:38 PDT 2017

On 28/09/17 11:43, Vincent Breitmoser wrote:
> Hi Trevor,
> thanks for you reply
>> If you hash everything together you have to worry about
>> collision-resistance, so you still need a similar-sized value (e.g.
>> 200 bits).
> I thought about this for a while, and I see what you mean. Since hashing
> the values together means Mallory can switch out keys on both sides, not
> just Bob's, the attack scenario shifts from preimage(B) to
> collision(A'B'). That makes sense, - too bad, really :)

But to find A', B' such that safetyNumber(A',B) == safetyNumber(A,B'),
the attacker has to perform stretching for every pair of candidates for
A', B'. Doesn't the stretching make the collision search infeasible?
(And if not, couldn't it be replaced with stretching that would, using
Argon2 or whatever?)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x9FC527CC.asc
Type: application/pgp-keys
Size: 4660 bytes
Desc: not available
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20170928/484a6f78/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20170928/484a6f78/attachment.sig>

More information about the Messaging mailing list