On Thu, Aug 28, 2014 at 6:08 PM, yan <[email protected]> wrote: > I guess I don't understand why hashing is necessarily "trivially > invertible" here. If the threat is large precomputed rainbow tables of > potential email addresses, you could have the email provider salt the > hashes before submitting them to the log; or probably easier, have a > unique "pepper" per email provider that gets rotated on some interval [1].
The issue is that usernames are extremely guessable. I think that Joseph Bonneau had some stats on this in his thesis. It can be made more different by using a largish scrypt instance, but it's still going to be easy to guess (at least) 50% of email addresses. _______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
