[Cryptography] Squaring Zooko's triangle

Peter Fairbrother zenadsl6186 at zen.co.uk
Tue Sep 10 13:09:14 EDT 2013

On 10/09/13 05:38, James A. Donald wrote:
> On 2013-09-10 3:12 AM, Peter Fairbrother wrote:
>> I like to look at it the other way round, retrieving the correct name
>> for a key.
>> You don't give someone your name, you give them an 80-bit key
>> fingerprint. It looks something like m-NN4H-JS7Y-OTRH-GIRN. The m- is
>> common to all, it just says this is one of that sort of hash.
> 1.  And they run away screaming.

Sorry, I misspoke: you can of course give them your name, just not your 
telephone number or email address. You give them the hash instead of those.

> 2.  It only takes 2^50 trials to come up with a valid fingerprint that
> agrees with your fingerprint except at four non chosen places.

And that will help an attacker how?

To use a hash to contact you Bob has to ask the semi-trusted server to 
find the hash and then return your matching input string - if he gets it 
wrong even in one place the server will return a different hash, or no 
hash at all.

Bob can't use a hash which doesn't match exactly.

Sound too restrictive? But Bob can't use a telephone number or email 
address which is wrong in one place, never mind four, either.

I was even thinking of using a 60-bit hash fingerprint (with a whole lot 
of extra work added, to make finding a matching tailored preimage about 
2^100 or so total work), so a hash would look like s-NN4H-JS7Y-OTRH but 
I haven't convinced myself that that would work yet.

Mind you, I haven't ruled it out either. There is a flood attack, but it 
can be defeated by people paying a dollar to the server when they input 
a hash.

-- Peter Fairbrother

> _______________________________________________
> The cryptography mailing list
> cryptography at metzdowd.com
> http://www.metzdowd.com/mailman/listinfo/cryptography

More information about the cryptography mailing list