lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 06 Jan 2014 16:15:36 +0100
From: Christian Forler <>
Subject: Re: [PHC] Security concern for Catena

On 06.01.2014 12:54, Bill Cox wrote:
> I don't think my attack works with Catena 2, does it?

To a certain degree. :-)

The benefit decrees in a drastic way when you use Catena-2 instead of
Catena-1. It becomes even worse with Catena-3 and so on and so forth.

> I hope not, because I just switched NoelKDF to use something very
> similar to Catena 2 to eliminate timing attacks.  If Catena 2 has a
> weakness, I would appreciate hearing about it.

Catena-\lambda, and especially Catena-2, is *NOT*
sequential-memory-hard. So you do always benefit from multiple cores.
For c cores you can theoretically speed up the performance to a factor
of O(c^(1/\lambda+1)). So, for c=1,000,000  you can speedup the
computation of Catena-2 by a factor of 100.

I'm mot sure if this is either acceptable or not. What do you think?

Best regards,

Download attachment "signature.asc" of type "application/pgp-signature" (552 bytes)

Powered by blists - more mailing lists