2013.01.01 22:01:23 (286215566325338112) from Daniel J. Bernstein, replying to "Solar Designer (@solardiz)" (286127340122161154):
@solardiz @aumasson @_emboss_ Sure. The safe key lifetime depends on how many hash collisions are tolerable and how quickly collisions leak.
2012.12.30 20:30:52 (285468012792934400) from "JP Aumasson (@veorq)":
the video of our #29c3 talk is now on YouTube https://www.youtube.com/watch?v=wGYj8fhhUVA cc/ @_emboss_ @hashbreaker
2012.12.31 02:01:05 (285551113959264257) from "Solar Designer (@solardiz)", replying to "JP Aumasson (@veorq)" (285468012792934400):
@aumasson @_emboss_ @hashbreaker Via timings, it might be feasible to probe for one collision, then try to find a 3rd colliding input, ...
2013.01.01 13:03:36 (286080228516831232) from Daniel J. Bernstein, replying to "Solar Designer (@solardiz)" (285551113959264257):
@solardiz @aumasson @_emboss_ Yeah, we discuss this in the SipHash paper. A strong PRF reduces the damage to square root of communication.
2013.01.01 16:10:48 (286127340122161154) from "Solar Designer (@solardiz)":
@hashbreaker @aumasson @_emboss_ e.g. attacker may probe for colliding inputs for a day, then repeat 1-second DoS each second for a 2nd day