On 28/09/17 11:43, Vincent Breitmoser wrote: > Hi Trevor, > > thanks for you reply > >> If you hash everything together you have to worry about >> collision-resistance, so you still need a similar-sized value (e.g. >> 200 bits). > > I thought about this for a while, and I see what you mean. Since hashing > the values together means Mallory can switch out keys on both sides, not > just Bob's, the attack scenario shifts from preimage(B) to > collision(A'B'). That makes sense, - too bad, really :)
But to find A', B' such that safetyNumber(A',B) == safetyNumber(A,B'), the attacker has to perform stretching for every pair of candidates for A', B'. Doesn't the stretching make the collision search infeasible? (And if not, couldn't it be replaced with stretching that would, using Argon2 or whatever?) Cheers, Michael
0x9FC527CC.asc
Description: application/pgp-keys
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Messaging mailing list Messaging@moderncrypto.org https://moderncrypto.org/mailman/listinfo/messaging
