On 07/11/2014 09:45 AM, Tom Ritter wrote: > In my mind, a 2^80 attacker is targeting a single key,
Hm, i don't think this is always true.
There are groups of people (and groups of machines) where the attacker
can get value from impersonating any one of them. For example, a
mid-size hosting company may operate roughly 2^10 servers, each with its
own ssh host key. With many modern OpenSSH instances, each sshd has 3
or even 4 host keys: dsa, rsa, ecdsa. ed25519; so that's 2^11 or 2^12
target keys you can try to match.
Maybe we don't want to capture this additional attacker advantage in our
model, but if so, we should at least explicitly state it as out of scope.
--dkg
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
