On 23 February 2016 at 08:02, Van Gegel <[email protected]> wrote: > Another problem: what is the minimum bit length of the hash (commitment) > is required for reliable verification by 32-bit short fingerprints of > secret? Note: data transfer price is very high in our case. > > If data is so expensive, you might want to look at M-221 or E-222 as smaller curves. [https://safecurves.cr.yp.to/]
If you used a memory/cpu hard function (PBKDF/scrypt/argon) to generate the 32-bit fingerprint then you could lower the size of the hash commitment. It would come down to the type of adversary you want to protect from. You could use a 64-bit commitment and a memory hard function that takes 1 second to calculate for instance and get a very high level of protection. It is a tradeoff, as with most things in life.
_______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
