Ed Gerck" <[EMAIL PROTECTED]> > It does to (as you can read in the paper). BTW, the "easily" applies to the case > WITHOUT salt
Well, to be really pedantic the paper never says that it is "easy" only that it has a work factor of the square root of the number of possible MAC strings without salt, and that adding the salt multiplies that by the square root of the possible number of salt values. That attack scenario certainly doesn't look easy to me :-). And as long as I'm being pedantic I'll point out my own mistake in my last message of using 'k' as the variable for block size (MAC length) instead of 'b' as in the paper. -- sidney --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]