lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 21 Jan 2014 06:19:23 +0400
From: Solar Designer <solar@...nwall.com>
To: discussions@...sword-hashing.net
Subject: Re: [PHC] Modified pseudo-random distribution in NoelKDF

On Mon, Jan 20, 2014 at 03:56:13PM -0500, Bill Cox wrote:
> On Mon, Jan 20, 2014 at 9:01 AM, Solar Designer <solar@...nwall.com> wrote:
> > Do you have specific numbers for the original approach above, and what
> > would be high enough (in your opinion)?
> 
> I would like to hurt a guy using only 1/4 of the memory enough that
> his attack is not practical.  I also want to not spend much time in
> the second loop forcing an attacker to show memory locations, so I'd
> like to read only 1% of the blocks.  A guy using only 1/8th should be
> deep into impractical TMTO territory.

How do you implement thread-level parallelism, or is this scheme with
the second loop at 1% only suitable for p=1?

> The average recalculation for 10,000,000 nodes covered by evenly
> spaced pebbles [...]

What if they are not evenly spaced?  You're making the distribution of
lookup indices highly non-uniform, so perhaps an attacker with limited
memory can adjust the spacing accordingly and achieve a lower TMTO
penalty?

Alexander

Powered by blists - more mailing lists