| >    They extended the confirmation-of-a-file attack into the
| >    learn-partial-information attack. In this new attack, the
| >    attacker learns some information from the file. This is done by
| >    trying possible values for unknown parts of a file and then
| >    checking whether the result matches the observed ciphertext.
| How is this conceptually different from classic dictionary attacks,
| and why does e.g. running the file through PBKDF2 and using the result
| for convergence not address your concern(s)?
How would that help?

Both the ability of convergent encryption to eliminate duplicates,
and this attack, depend on there being a deterministic algorithm
that computes a key from the file contents.  Sure, if you use a
different salt for each file, the attack goes away - but so does
the de-duplication.  If you don't care about de-duplication, there
are simpler, cheaper ways to choose a key.
                                                        -- Jerry

| --
| Ivan Krsti? <[EMAIL PROTECTED]> | http://radian.org
| ---------------------------------------------------------------------
| The Cryptography Mailing List
| Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to