David-Sarah Hopwood wrote: [...] > However, note that this attack depends completely on the fact that hash_r > uses an r-bit chaining value. If hash_r is actually a truncation of a hash > with a z-bit chaining value, then the attack requires 2^(z/2) work. > More precisely, it requires
... at least ... > whatever work is needed for a collision > attack on the untruncated hash, provided that the attack works with > sufficient probability for an arbitrary chaining value. -- David-Sarah Hopwood ⚥ http://davidsarah.livejournal.com _______________________________________________ tahoe-dev mailing list [email protected] http://allmydata.org/cgi-bin/mailman/listinfo/tahoe-dev
