Why Nostr? What is Njump?
2023-06-07 17:47:48
in reply to

Zooko Wilcox-O'Hearn [ARCHIVE] on Nostr: πŸ“… Original date posted:2016-01-12 πŸ“ Original message:Folks: I don't fully ...

πŸ“… Original date posted:2016-01-12
πŸ“ Original message:Folks:

I don't fully understand this thread, but it sounds like to me it
might be omitting consideration of multi-target attacks. For example,
Tier Nolan's attack
(http://lists.linuxfoundation.org/pipermail/bitcoin-dev/2016-January/012230.html),
which seems to be the best attack on this thread, seems to start with
one specific public key of an intended victim, but if the attacker is
happy to find a collision with *any* one out of a large number of
potential victims, he gets an advantage proportional to the number of
potential victims.

So it would be wise, in addition to the kind of analysis already done
on this thread (which appears to have already settled at "Yes, we need
> 80-bit security."), to make a nice optimistic estimate of how many
public keys we could eventually have in use. 2⁴⁰? 2⁡⁰? Or maybe be
*very* optimistic, with some added IoT [*] goodness, and budget for
2⁢⁰?

Then we need to budget that many more bits of security to keep the
future attacker's chances of success low enough that the attacker will
never succeed. (Assuming that's our requirement.)

You might enjoy this recent blog post by DJB, legendary cryptographer
who works in this niche of cryptography as well as several other
niches:

http://blog.cr.yp.to/20151120-batchattacks.html

It has some interesting philosophical musings about the "Attacker
Economist" approach. (N.B. My respect for DJB's accomplishments is
tremendous, but that doesn't mean I automatically agree with
everything he says. I haven't made up my mind what I think about this
particular philosophical argument.)

Sincerely,

Zooko

[*] The Internet of Targets
Author Public Key
npub198hn0klxaeu622g84p832yd4hglek0h3p9cy8aklkcxv56cr5kwql949yg