On Monday,2009-09-07, at 18:16 , Brian Warner wrote: > How long do we need that hash to be? I'm not clear on the math. If > we want a 128bit security parameter, and we have a 128bit writecap > (the signing key), the DSA verifying key will be 256bits, yeah? > Would a 128bit hash of that verifying key be sufficient to maintain > our security level?
For mutable files we need only second-pre-image-resistance (i.e. someone who does *not* have the write-cap can't come up with a verification string that collides with a legit one), which means we need only 128-bits of hash output. For immutable files we need collision-resistance (i.e. even the original uploader can't come up with a colliding pair of verification strings), which means we need 256-bits of hash output. Regards, Zooko _______________________________________________ tahoe-dev mailing list [email protected] http://allmydata.org/cgi-bin/mailman/listinfo/tahoe-dev
