On Mar 31, 2008, at 4:47 AM, Ivan Krstić wrote:
Tahoe doesn't run this service either. I can't use it to make guesses
at any of the values you mentioned. I can use it to make guesses at
whole documents incorporating such values, which is in most cases a
highly non-trivial distinction.
The way
On Mar 31, 2008, at 6:44 AM, James A. Donald wrote:
Better still, have a limited supply of tickets that enable one to
construct the convergence key. Enough tickets for all normal usage,
but not enough to perform an exhaustive search. [...]
If you give the ticket issuing computers an ellipt
On Mar 30, 2008, at 9:37 PM, zooko wrote:
You can store your True Name, credit card number, bank
account number, mother's maiden name, and so forth, on the same
server as your password, but you don't have to worry about using
salts or key strengthening on those latter secrets, because the
server
Ivan Krsti? wrote:
1. take partially known plaintext
2. make a guess, randomly or more intelligently where possible,
about the unknown parts
3. take the current integrated partial+guessed plaintext, hash
to obtain convergence key
4. verify whether that key exists in the storage index
5. if
On Sun, Mar 30, 2008 at 05:13:07PM -0400, Ivan Krsti?? wrote:
> That's a brute force search. If your convergence key, instead of being
> a simple file hash, is obtained through a deterministic but
> computationally expensive function such as PBKDF2 (or the OpenBSD
> bcrypt, etc), then step 3
On Mar 30, 2008, at 3:12 PM, Leichter, Jerry wrote:
How would that help?
Unless I'm misunderstanding Zooko's writeup, he's worried about an
attacker going from a partially-known plaintext (e.g. a form bank
letter) to a completely-known plaintext by repeating the following
process:
1. ta
| >They extended the confirmation-of-a-file attack into the
| >learn-partial-information attack. In this new attack, the
| >attacker learns some information from the file. This is done by
| >trying possible values for unknown parts of a file and then
| >checking whether the resu
On Mar 20, 2008, at 3:42 PM, zooko wrote:
They extended the confirmation-of-a-file attack into the
learn-partial-information attack. In this new attack, the
attacker learns some information from the file. This is done by
trying possible values for unknown parts of a file and then
c
Jim:
Thanks for your detailed response on the convergent encryption issue.
In this post, I'll just focus on one very interesting question that
you raise: "When do either of these attacks on convergent encryption
apply?".
In my original note I was thinking about the allmydata.org "Tahoe"