lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 30 Mar 2015 18:22:13 +0200
From: Jakob Wenzel <jakob.wenzel@...-weimar.de>
To: discussions@...sword-hashing.net
Subject: Re: [PHC] Another PHC candidates "mechanical" tests (ROUND2)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 30.03.2015 13:52, Milan Broz wrote:
> On 03/30/2015 01:24 PM, Solar Designer wrote:
>> Milan,
>> 
>> On Tue, Mar 24, 2015 at 11:50:44PM +0100, Milan Broz wrote:
>>> The updated test report (draft) is here
>>> 
>>> https://github.com/mbroz/PHCtest/blob/master/output/phc_round2.pdf
>>
>>
>>>
>>> 
This really needs the cross-chart we discussed - memory usage vs. real
>> time with increasing m_cost and fixed lowest supported t_cost. 
>> From your charts, it was - and still is - not apparent to me
>> that (or whether?) POMELO v2 performs so well (as the author
>> claims) at large memory settings.
> 
> Yes, I'll plan to look into this soon.
> 
>> And you did not include it in Table 4 ("Ability to cover real 
>> use-case limits"), I guess because it was unclear even to you 
>> that it's competitive for your use case.
> 
> It is not there because I did not find any mention that POMELO can 
> be used directly as a KDF in the paper (and the use case is for 
> KDF). The garbage-collector attack paper 
> http://eprint.iacr.org/2014/881 also mentions that it is not KDF
> in Table 4.
> 
> Could authors clarify that?

Hi,

we did not mark POMELO as a KDF for the following reasons:

The authors of POMELO (v2)
1) ...did not claim that POMELO can be used as a KDF
2) ...neither claimed nor proved randomness of the outputs which is
   required for a good KDF

Best regards,
Jakob
(one of the authors of http://eprint.iacr.org/2014/881)


- -- 
Jakob Wenzel
Research Assistant
Chair of Media Security (Prof. Lucks)
Bauhausstraße 11 (Room 217)
99423 Weimar
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJVGXg1AAoJEDFlRQsgEDnDG0kH/0oOH9KYK6gB/NMTnMpZswU8
yhSZERlnKg/jcqmS6WnIS2/PBm2C3faWEMk3sprlEA1S3r4KDY5UKQmDhdABfG3I
2ejmyufn1rxkbCZ1E8J+asdMxhS7hzVNX1Tm/w/kj5u6q+JNph+1WfVst+VT0ECX
cQ5eENVsPWyMcSfzkvbqD+X0A9b92+jhJtS8xbgIq8EQVk2yNE2X1/B4to34bWSt
MFEJgrtiZDlVpuxIJw4H+C4o1FOTdO7XB1okKePK1noeYuWtcj3p5a9XcKK/CN6u
BDTQz/i8MmgtoSR1siVhaGX8cB0UrV0+9R/50yhHkRcqWlasfzi1Nmn/TsDDz+Q=
=8ap7
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ