lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 9 Dec 2013 20:30:18 +0100
From: Krisztián Pintér <pinterkr@...il.com>
To: discussions@...sword-hashing.net
Subject: Re: [PHC] blakerypt sequential memory-hard function


Stefan.Lucks@...-weimar.de (at Monday, December 9, 2013, 1:54:41 PM):

> You know Boyen's halting password puzzles (for time usage, not really for
> memory usage)?

> https://crypto.stanford.edu/~xb/security07/index.html


that is very interesting with two remarks:

1. this design uses indexing on secret. also, i'm not exactly a math
person, but it appears to me that it is essential to the proof. if i'm
not mistaken, basically it is a walk based on the secret, without
which you "get lost in the forest". i wonder if you can circumvent
this limitation.

2. though a good initiative, its benefits are not as huge as it first
seems. we can't expect users to be very sophisticated with their
choice of parameters. to be user friendly, you probably want to offer
some preset values, and not just run-till-stopped. and therefore we
can kind of expect the running time to be guessable. it is also easy
to listen in on an authentication session, and measure the timing.

Powered by blists - more mailing lists