lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 5 Apr 2013 13:49:59 -0400
From: Matthew Green <>
Subject: Re: [PHC] Testing Password Hashing functions

Formally, the right tool here is to ask for a proof that the construction is indifferentiable from a random oracle -- assuming that the building blocks (underlying hash functions, block ciphers, etc.) also meet similar criteria.

The submitters don't have to write this proof, but it would be one of the criteria for analysis. Since most of these functions will probably be based on 'standard' building blocks, this shouldn't be an enormous stretch.

Of course, this is orthogonal to the specific requirements that make a password hash special -- namely, the fact that they're slow to compute.


On Apr 5, 2013, at 12:54 PM, Marsh Ray <> wrote:

>> -----Original Message-----
>> From: Yann Droneaud []
>> Sent: Friday, April 5, 2013 8:53 AM
>> To:
>> Subject: Re: [PHC] Testing Password Hashing functions
>> So using the PRNG test is probably a first evaluation step, but doesn't seems
>> to be enough.
> Agree. They're a useful sanity check.
> RC4 is an example of a PRNG that wouldn't pass basic statistical tests.
> AES-128 in CTR mode with the key and plaintext inputs switched is a simple example of a PRNG which would pass all statistical tests and yet be completely broken.
> An additional requirement of a password hashing function over a PRNG is that it require a significant amount of work to compute which no one can optimize away. I'm not sure statistical tests can help much here.
>> So what others tools, methods are going to be used to evaluate password
>> hash functions ?
> My impression is that the construction of any potentially-reusable parts of the tools is so much easier than the analysis itself that it's almost a rite of passage for researchers to write their own. Unfortunately, only a few end up as open source.
> There's a few at
> Marc Stevens makes his MD5 and SHA-1 tools open source
> - Marsh

Powered by blists - more mailing lists