| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 14 Jul 2015 14:09:33 +0200
From: Jakob Wenzel <jakob.wenzel@...-weimar.de>
To: discussions@...sword-hashing.net
Subject: Re: [PHC] Overview of PHC Candidates and Garbage-Collector Attacks
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 09.07.2015 20:22, Hongjun Wu wrote:
> Hi Jocob,
>
> Thanks for the report.
>
> 1. To be precise, the state of POMELO (of the second round) is
> updated 3*2^{t_cost}+2 times on average (some details: a state is
> updated through feedback; local table lookup; global table lookup).
>
>
Hi Hongjun,
Thank you for your comments! I changed the number of updates from
2^{2*t_cost}+2 to 3*2^{t_cost}+2.
> 2. Assume that the memory usage data in Table 1 is accurate, it is
> a surprise that only two (?) finalists provide memory usage in a
> wide range (Battcrypt: 128KB to 128M; POMELO: 8 KB to 256GB).
> Argon is another candidate that provides memory in a wide range
> (1KB to 1GB), but Argon2 does not have that feature.
The table is generated from the parameter recommendations taken from
the specifications. I don't think that only battcrypt and POMELO
provide a wide range of memory usage, but that most recommendations
where done for the case of maximum memory usage by still providing an
acceptable login time for the user.
Considering Catena-BRG, we recommended 128 MB memory usage which runs
in about 0.51 seconds. But, you can also invoke Catena-BRG with only
128KB of memory then running in about 0.02 seconds (for lambda = 255).
Best regards,
Jakob
> 3. Since the report talks about the security of each candidate in
> Table I add something on POMELO below.
>
> As analyzed in the POMELO document, even for t_cost = 0, POMELO
> provides strong protection against the low memory attack since it
> is costly to store partial state in the attack due to the
> combination of local table lookup and global table lookup. The
> protection mechanism of POMELO against low memory attack is
> completely different from all the other candidates, and I think
> that POMELO provides a very efficient approach to defend against
> low memory attack.
>
> Best Regards, Hongjun
>
> On Thu, Jul 2, 2015 at 11:05 PM, Jakob Wenzel
> <jakob.wenzel@...-weimar.de <mailto:jakob.wenzel@...-weimar.de>>
> wrote:
>
> Hi all,
>
> we have updated the classification document (including analysis
> regarding to (weak) garbage-collector attacks -- (W)GCA).
>
> See: https://eprint.iacr.org/2014/881
>
> Among other minor changes, the update includes: 1) Argon2d and
> Argon2i (as two instantiations of the finalist Argon2) 2) yescrypt
> now provides (W)GCA resistance under certain requirements depending
> on the input parameter 3) tables now differentiate between
> finalist/non-finalists 4) added motivation for (W)GCA attacks in
> the introduction 5) BLAKE2b-1 is added as hash function for Catena
> 6) BlaMka is added as permutation for Lyra2 (in brackets, since it
> is not fully analyzed yet and thus, not recommended as default
> instantiation by the authors of Lyra2)
>
> Comments are welcome.
>
> Best regards, Jakob
>
>
>
- --
Jakob Wenzel
Research Assistant
Chair of Media Security (Prof. Lucks)
Bauhausstraße 11 (Room 217)
99423 Weimar
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJVpPv9AAoJEDFlRQsgEDnDeIwH/1AN3K8YoZm6utshpZNvjnpt
4ZsDpchHcq2lP5l13ey3eONg7cQGAqHsLqWazUYO8z7uQV1YXn50NVYhqO12pXan
8l+NYYcJURHP8EUHarIfzbwpTjL7MRFygAauulBxnqgucws1uKeJ6tV9FURdexsv
e5lfYHf94tzZDn2Ts/XIAdFttjcNOhk5Su4wxEgyJD8H3mTod8XzoK5zM0H1/7es
xn4XF0KgWPcW5CUxdNSbNspKqLXDWt2LQG3TmIdKRiovx1HfXGYzb5dBMYZjPbGB
Kuqu5t2i1iBr33yb1I76Lc9P6uN95qmYPzRCE/+G5U13mzcU9NvhvhRkNjLnnLI=
=lL5c
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists