Date: Tue, 21 Apr 2015 19:01:29 +0200
From: Krisztián Pintér <pinterkr@...il.com>
To: "discussions@...sword-hashing.net" <discussions@...sword-hashing.net>
Subject: Re: [PHC] Argon2 modulo division




Bill Cox (at Tuesday, April 21, 2015, 5:48:31 PM):

>> Generally, small integer division algorithms that are not
>> constant-time...
> I do not consider this to be a limitation of Argon2d, though Lyra2
> (and TwoCats) does protect against related attacks with it's
> password independent first loop.  However, there are some tin-foil
> hat attacks

this is unfortunately not the first time i hear such unscientific
arguments on the list. it would be a good time to stop that.

side channel attacks not only bypass the computational hardness. it is
false that in case of a succesful attack, the hashing scheme reverts
back to a single hash, or a half-hash if there are two phases. side
channels are much more sinister. it is possible to steal the password
in situations when it was not at all possible without them.

the scenario is really simple. consider a system that is well
protected agaist evesdropping, and the attackers have not managed to
steal the password hash either. but the system is vulnerable to some
sort of power/timing analysis. an attacker can gain absolutely zero
knowledge if the hashing scheme is resistant against that type of
attack. but they might learn enough information to recover the
password, if the scheme is vulnerable to the attack.

whether such attacks are actually feasible is very hard to tell in
advance, but given the vast number of possible attack vectors, and the
resent upsurge in successful side channel attacks, calling it
improbable is totally bad science. the best you can say is we don't
know, but we also didn't think very hard, honestly. if something is
possible, it is only a matter of time before it becomes feasible.

Powered by blists - more mailing lists