lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 17 Apr 2013 08:25:07 -0400
From: Matthew Green <>
To: "" <>
Cc: Jeffrey Goldberg <>,
 "" <>
Subject: Re: [PHC] Let's not degenerate when if the PRF is too narrow for desired output

I think this statement could be relaxed a bit, but I also agree that overall computational cost should be dominated by the work factor specified as input to the function -- it should not depend strongly (i.e., linearly) on output length.

This would be a real issue in an authentication system where the defender was generating long 'hashes' but an attacker could save cycles by only computing a shorter prefix to test against.

By the way, this would seem to be an issue for scrypt as well, since it uses PBKDF2 for the final generation. 

We should discuss whether we want this to be a criteria for PHC. 


On Apr 17, 2013, at 5:26 AM, Simon Josefsson <> wrote:

> Jeffrey Goldberg <> writes:
>> This is mostly me whining. I just got bitten by the fact that PBKDF2
>> does weird stuff if you ask for more derived data than is natural for
>> the PRF you give it.
> Perhaps this can be converted into a requirement for a nicer KDF: the
> cost to compute one bit of the output should be as high as computing the
> entire output?
> /Simon

Powered by blists - more mailing lists