| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CA+aY-u48TXP4LutbPaAZKRWA4kJYaOXFsPnoF3rG8aMJ84=4TQ@mail.gmail.com>
Date: Sun, 29 Dec 2013 22:50:32 +0000
From: Peter Maxwell <peter@...icient.co.uk>
To: discussions@...sword-hashing.net
Subject: Re: [PHC] Initial hashing function. Feedback welcome
On 29 December 2013 22:29, Bill Cox <waywardgeek@...il.com> wrote:
>
> A weakness of the hashing function vs scrypt is that it is a simple
> non-cryptographic hash, rather than script's Salsa20/8. This is the
> primary reason it runs faster. If we do not need a strong cryptographic
> hash, there is significant opportunity for improving performance.
>
Afaik, the important property is more that an adversary cannot calculate
what's at each memory location, in a random access model, in less cost than
a memory access. Or, that the algorithm doesn't create clustered accesses
that can be calculated in a single independent segment.
>
> Is there any reason such a simple hash function should not be used? I am
> particularly interested in feedback on this point.
>
As far as I know, as long as what you've generated has some fairly basic
properties and would cost more to calculate than the relevant memory
access, you're fine. I'm open to being corrected though: it's been a
while since I've done any reading on this and I'm not entirely convinced
memory-hard functions are the silver bullet they've been made out to be
anyway.
Content of type "text/html" skipped
Powered by blists - more mailing lists