lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 6 Jan 2014 09:19:02 +0100
From: Jean-Philippe Aumasson <>
Subject: Re: [PHC] Proposed timeline changes

Thanks Alex for the constructive feedback.

I guess we won't need a formal definition of tweak, it's rather a
I-know-it-when-I-see-it: it should be a modification of the submitted
algorithm rather than a radically new algorithms, such that the
modified algorithm should not differ too much from the original one.

In previous competitions (AES, eSTREAM, SHA-3), I did not feel that
there was a significant need for "knowledge resuse", however I
understand that the case of password hashing may be specific.

I agree that it may be sensible to decide on the competition structure
(whether and when to shortlist, tweak, etc.) based on the knowledge of
the submissions received.

This afternoon I'm presenting PHC at the Symmetric Crypto seminar in
Dagstuhl (
I'm planning to announce the new submission deadline (March 31).

On Sun, Jan 5, 2014 at 10:24 AM, Solar Designer <> wrote:
> On Sun, Jan 05, 2014 at 09:55:28AM +0100, Jean-Philippe Aumasson wrote:
>> 1) Move the submission deadline from January 31 to March 31 (with unchanged
>> requirements)
>> 2) Agree on a new tentative timeline before March 31 (which may be further
>> revised depending on the quantity and quality of submissions)
>> Any objection?
> No objections from me.
>> On Jan 5, 2014 9:41 AM, "Jean-Philippe Aumasson" <> wrote:
>> > However we won't accept submissions after the initial deadline. And round
>> > 2 is about shortlisting a few submissions rather than receiving new ones.
>> > The game has to have rules :)
>> >
>> > What do other panel members think?
> I think many (if not all) of us are going to learn a few things from
> each other's submissions.  It is important to let us reuse this
> knowledge in revised submissions, and this may require more than tweaks.
> I am also unsure of what qualifies as a mere tweak and what does not,
> and whether adding an extra password hashing scheme variation or extra
> mode of operation (e.g., a scripting language friendly one to a
> submission previously friendly to native code only) falls under "tweaks"
> or not.  (Obviously, I am assuming that the test vectors will differ.
> If they don't, it's a mere implementation change, which is not in any
> way limited by PHC rules.)
> The scripting language example is not an arbitrary one.  What I am
> seeing so far is that all new designs being discussed so far focus on
> native code only, so far.  Yet I think that given more time, having
> received initial reviews/feedback, and having seen each other's
> submissions, some of those same teams may come up with variations of
> their schemes intended for scripting languages.  It just feels premature
> to work on that yet.
> The game does have to have rules, but not necessarily the exact rules
> outlined in the provisional timeline so far.  If you feel that we need a
> round where we'd shortlist a few finalists, then I think we potentially
> need an extra round (before the shortlisting) for the knowledge reuse.
> We might have a slightly better idea on whether the shortlisting round
> is needed if we ask would-be submitters to announce their plans to
> submit by/on the previously scheduled date of January 31 (so it won't be
> a surprise to them that something is expected from them by then, and
> it'd be a relief that less is expected and they have 2 more months for
> the actual submissions).
> Alexander

Powered by blists - more mailing lists