[cryptography] philosophical question about strengths and attacks at impossible levels

Zooko O'Whielacronx zooko at zooko.com
Thu Oct 14 22:33:31 EDT 2010


Following-up to my own post to correct a goof:

On Wed, Oct 13, 2010 at 10:56 PM, Zooko O'Whielacronx <zooko at zooko.com> wrote:
>
> If a hash has 32-bit pre-image-resistance then this means an attacker
> might spend about 2^32 resources to find a pre-image.
>
> If a hash has 64-bit pre-image-resistance then this means an attacker
> might spend about 2^64 resources to find a pre-image.
>
> What if a hash has 512-bit collision-resistance?

I originally wrote this letter in terms of collision-resistance, and
then changed it to be in terms of pre-image resistance, and missed a
spot when editing. There's no intended meaning in the switch from
pre-image resistance to collision-resistance above--I intended it to
be pre-image resistance all the way. I know that collision resistance
is approximately as difficult to achieve as the square of pre-image
resistance is. Also I know that there is no planned SHA-3 standard for
a hash function with 512-bit collisionresistance. Sorry for the
confusion.

Regards,

Zooko Wilcox-O'Hearn



More information about the cryptography mailing list