| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20140122130702.GA2860@openwall.com> Date: Wed, 22 Jan 2014 17:07:02 +0400 From: Solar Designer <solar@...nwall.com> To: discussions@...sword-hashing.net Subject: Re: [PHC] Modified pseudo-random distribution in NoelKDF On Wed, Jan 22, 2014 at 07:43:53AM -0500, Bill Cox wrote: > This reduced the 25% coverage attack to 24.5X penalty for a 1% cheat > killer pass. I did the same for the sliding window. I increased the > minimum edge length to pebble a node to 22,500 to keep it at 25.0% > pebble coverage, and the penalty dropped to 0.88X for my 1% pass. What is meant by a penalty of 0.88X? Perhaps a penalty below 1X is not actually a penalty. Is this only a math abstraction useful for actually relevant conclusions like: > A 100% pass would have a penalty of 88X. Also, a 20% pass (pebble every > 16 instead of 12, and edge length <= 10,000) gets 10X penalty for 1%, > or 1000X penalty for 100% coverage. > > It still looks pretty good to me, though the cubed distribution seems > stronger in defense. ... speaking of defense against TMTO only, but that's not the only thing we should care about. I don't want to move too far from uniform distribution for reasons I previously explained. Thank you for running these simulations! Oh, and would you post the code for others in here to play with? Have you actually implemented working TMTO attacks (computing the hashes in less memory, and checking them against test vectors), or are you only calculating what it'd take? Alexander
Powered by blists - more mailing lists