Sandy Harris wrote: > On 11/8/09, Zooko Wilcox-O'Hearn <zo...@zooko.com> wrote: > >> Therefore I've been thinking about how to make Tahoe-LAFS robust against >> the possibility that SHA-256 will turn out to be insecure. [...] > Since you are encrypting the files anyway, I wonder if you could > use one of the modes developed for IPsec where a single pass > with a block cipher gives both encrypted text and a hash-like > authentication output. That gives you a "free" value to use as > H3 in my scheme or H2 in yours, and its security depends on > the block cipher, not on any hash.
Tahoe is intended to provide resistance to collision attacks by the creator of an immutable file: the creator should not be able to generate files with different contents, that can be read and verified by the same read capability. An authenticated encryption mode won't provide that -- unless, perhaps, it relies on a collision-resistant hash. -- David-Sarah Hopwood ⚥ http://davidsarah.livejournal.com
signature.asc
Description: OpenPGP digital signature