David-Sarah Hopwood wrote: > For immutable files, we absolutely need 2n bits in a readcap to obtain > collision resistance. It is desirable to also have 2n bits in a verifycap, > to prevent an attack where the creator of a file can use a collision to > generate a verifycap that will succeed in verifying invalid ciphertext > (it isn't clear that this is a particularly useful attack, but it turns > out we can prevent it at no significant cost).
Actually the strength against this attack is only 2^(n/2). It is possible to increase the size of V' without increasing the size of R, if that is considered a problem. -- David-Sarah Hopwood ⚥ http://davidsarah.livejournal.com _______________________________________________ tahoe-dev mailing list [email protected] http://allmydata.org/cgi-bin/mailman/listinfo/tahoe-dev
