lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 8 Jan 2014 18:46:22 -0500
From: Bill Cox <>
Subject: Re: [PHC] Lyra, Password Key Derivation Based On The Sponge Construction

RC4 is the perfect example to use, and I disagree about the entropy ratio.
 If you have 20 bits of entropy in a user's password, and 256 bits of
entropy from salt, using RC4 initialized from this 276 bits to generate 4GB
of hash data is a *good* idea.

No one is looking at your hashed data, which is the difference.  All that
matters in the end is the 256-ish bits of derived key you spit out.  You
can't turn the user's 20 bits into more than 2^20 possible outcomes for a
given salt, but thrashing all that memory for a full second will force an
attacker with a GPU to spend a couple days to guess it.  If that were just
protected with one round of SHA-256, it would take a small fraction of a

My point is that it's useless to worry about the entropy of the data we
write to memory.  RC4 is already too strong, and a waste of CPU cycles.  So
long as we don't lose significant entropy along the way, any dumb hash that
an attacker has to actually compute is good enough.


On Wed, Jan 8, 2014 at 6:08 PM, Poul-Henning Kamp <>wrote:

> In message <CAOLP8p5wwnaOpPGW0rA+Q9nz-jYtKhEL0aujMALuRuG=
> , Bill Cox writes:
> >Thanks for this very interesting link.  Lyra first fills a matrix with
> hash
> >data which is derived from the password, and then randomly picks a "row"
> >and for each location it updates the hash state from the location's value,
> >and then XORs into the location the next output of the hashing engine.
> Two things worry me about the general approach Lyra takes.
> My first thought was that this sounds vulnerable to the same issue
> RC4 suffers from:   It takes more entropy to "randomize" it properly
> than is typically available for the purpose.
> Lack of entropy is a major issue in any password context, and therefore
> I think it is wise to pay attention to the:
>         bits of entropy
>         ---------------
>         bits of state
> ratio not getting too low.
> The second thought is that a large memory footprint, desirable for
> all the reasons the Lyra presentation mentions, vastly increases
> the ways and means to discover what is going on through covert
> channels.
> So as a general principle, I'm personally not going to be very
> impressed by claims on the general form:
>         "The ${datestructure} can be sized however large you like"
> even if it comes with a mathematically proof of ${something}, unless
> it also comes with plan for how it gets initialized with only limited
> entropy being available, and analysis of to what extent the access
> patterns may reveal its state.
> Poul-Henning
> --
> Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
> phk@...eBSD.ORG         | TCP/IP since RFC 956
> FreeBSD committer       | BSD since 4.3-tahoe
> Never attribute to malice what can adequately be explained by incompetence.

Content of type "text/html" skipped

Powered by blists - more mailing lists