2013.01.02 06:32:25 (286344171420278786) from Daniel J. Bernstein, replying to "Solar Designer (@solardiz)" (286222122047651840):
@solardiz @hashbreaker @aumasson @_emboss_ n-collisions in a strong PRF size-n hash table need about n^2 queries (more with noisy queries).
2013.01.01 13:03:36 (286080228516831232) from Daniel J. Bernstein, replying to "Solar Designer (@solardiz)" (285551113959264257):
@solardiz @aumasson @_emboss_ Yeah, we discuss this in the SipHash paper. A strong PRF reduces the damage to square root of communication.
2013.01.01 16:10:48 (286127340122161154) from "Solar Designer (@solardiz)":
@hashbreaker @aumasson @_emboss_ e.g. attacker may probe for colliding inputs for a day, then repeat 1-second DoS each second for a 2nd day
2013.01.01 22:01:23 (286215566325338112) from Daniel J. Bernstein, replying to "Solar Designer (@solardiz)" (286127340122161154):
@solardiz @aumasson @_emboss_ Sure. The safe key lifetime depends on how many hash collisions are tolerable and how quickly collisions leak.
2013.01.01 22:27:26 (286222122047651840) from "Solar Designer (@solardiz)":
@hashbreaker @aumasson @_emboss_ Having to estimate how quickly collisions leak is deviation from protecting against worst possible exposure