On 10 July 2014 12:29, David Leon Gil <[email protected]> wrote: > Michael: Agreed. > > All these calculations raise an interesting point: What do we *mean* > when we say a "2^80 attacker". > > If we're assuming an attacker who can, for each key exchange of > interest, do 2^80 hash evals, this is an attacker that *yearly* does a > huge amount of computation: Suppose that you need to perform the > computation in < 2^8 seconds. There are ~ 2^25 seconds per year, so > the attacker can do 2^97 hash-eval-equivalents per year.
In my mind, a 2^80 attacker is targeting a single key, and trying to achieve a key whose fingerprint gets as close* to the target fingerprint as possible. (*Where close is defined according to... the attacker?) They will then go use that key in a phishing attack of some sort. To create the key, they can perform 2^80 key generation attempts. -tom _______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
