| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 18 Apr 2015 01:40:37 +0300 From: Solar Designer <solar@...nwall.com> To: discussions@...sword-hashing.net Subject: Re: [PHC] "Attack on the iterative compression function" Dmitry, On Fri, Apr 17, 2015 at 10:16:05PM +0300, Solar Designer wrote: > I think it would help this community if you try applying your attack to > scrypt proper. Initially for storage of just the last sub-blocks (in > addition to some full blocks), and then (after publishing your initial > results) also for storage of arbitrary sub-blocks. Try to identify > which ones and how many are optimal to store. Perhaps the "how many" > will vary depending on the higher-level TMTO factor that you apply, so > perhaps the SMix-level and BlockMix-level TMTO factors would need to be > optimized together. > > The scrypt paper is very careful when it talks about a "constant factor" > without specifying any upper bound on it, so it won't exactly be a break > of scrypt if you show that this constant factor is higher than is > possible with an SMix-level attack alone. But it will be a significant > new result. Actually, if you show that the reduction of memory-time product for scrypt is a function of r and has no constant upper bound, then this may be a (theoretical) break of scrypt. You could start by considering extreme cases such as N=2 and high r, then N=4 and high r, and then generalize this to any N and r, and see what happens for sane r. I expect that scrypt at high r might in fact be broken in this sense. Alexander
Powered by blists - more mailing lists