lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 5 Jan 2014 13:24:27 +0400
From: Solar Designer <solar@...nwall.com>
To: discussions@...sword-hashing.net
Subject: Re: [PHC] Proposed timeline changes

On Sun, Jan 05, 2014 at 09:55:28AM +0100, Jean-Philippe Aumasson wrote:
> 1) Move the submission deadline from January 31 to March 31 (with unchanged
> requirements)
> 
> 2) Agree on a new tentative timeline before March 31 (which may be further
> revised depending on the quantity and quality of submissions)
> 
> Any objection?

No objections from me.

> On Jan 5, 2014 9:41 AM, "Jean-Philippe Aumasson" <jeanphilippe.aumasson@...il.com> wrote:
> > However we won't accept submissions after the initial deadline. And round
> > 2 is about shortlisting a few submissions rather than receiving new ones.
> > The game has to have rules :)
> >
> > What do other panel members think?

I think many (if not all) of us are going to learn a few things from
each other's submissions.  It is important to let us reuse this
knowledge in revised submissions, and this may require more than tweaks.

I am also unsure of what qualifies as a mere tweak and what does not,
and whether adding an extra password hashing scheme variation or extra
mode of operation (e.g., a scripting language friendly one to a
submission previously friendly to native code only) falls under "tweaks"
or not.  (Obviously, I am assuming that the test vectors will differ.
If they don't, it's a mere implementation change, which is not in any
way limited by PHC rules.)

The scripting language example is not an arbitrary one.  What I am
seeing so far is that all new designs being discussed so far focus on
native code only, so far.  Yet I think that given more time, having
received initial reviews/feedback, and having seen each other's
submissions, some of those same teams may come up with variations of
their schemes intended for scripting languages.  It just feels premature
to work on that yet.

The game does have to have rules, but not necessarily the exact rules
outlined in the provisional timeline so far.  If you feel that we need a
round where we'd shortlist a few finalists, then I think we potentially
need an extra round (before the shortlisting) for the knowledge reuse.

We might have a slightly better idea on whether the shortlisting round
is needed if we ask would-be submitters to announce their plans to
submit by/on the previously scheduled date of January 31 (so it won't be
a surprise to them that something is expected from them by then, and
it'd be a relief that less is expected and they have 2 more months for
the actual submissions).

Alexander

Powered by blists - more mailing lists