[119094] in cryptography@c2.net mail archive
Re: [p2p-hackers] convergent encryption reconsidered
daemon@ATHENA.MIT.EDU (=?UTF-8?Q?Ivan_Krsti=C4=87?=)
Sun Mar 30 21:04:36 2008
Cc: theory and practice of decentralized computer networks <p2p-hackers@lists.zooko.com>,
Cryptography <cryptography@metzdowd.com>
From: =?UTF-8?Q?Ivan_Krsti=C4=87?= <krstic@solarsail.hcs.harvard.edu>
To: "Leichter, Jerry" <leichter_jerrold@emc.com>
In-Reply-To: <Pine.SOL.4.61.0803301507420.1801@mental>
Date: Sun, 30 Mar 2008 17:13:07 -0400
On Mar 30, 2008, at 3:12 PM, Leichter, Jerry wrote:
> How would that help?
Unless I'm misunderstanding Zooko's writeup, he's worried about an =20
attacker going from a partially-known plaintext (e.g. a form bank =20
letter) to a completely-known plaintext by repeating the following =20
process:
1. take partially known plaintext
2. make a guess, randomly or more intelligently where possible,
about the unknown parts
3. take the current integrated partial+guessed plaintext, hash
to obtain convergence key
4. verify whether that key exists in the storage index
5. if yes, you've found the full plaintext. if not, repeat from '2'.
That's a brute force search. If your convergence key, instead of being =20=
a simple file hash, is obtained through a deterministic but =20
computationally expensive function such as PBKDF2 (or the OpenBSD =20
bcrypt, etc), then step 3 makes an exhaustive search prohibitive in =20
most cases while not interfering with normal filesystem operation. =20
What am I missing?
Cheers,
--
Ivan Krsti=C4=87 <krstic@solarsail.hcs.harvard.edu> | http://radian.org
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
