lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 22 Jan 2014 17:07:02 +0400
From: Solar Designer <solar@...nwall.com>
To: discussions@...sword-hashing.net
Subject: Re: [PHC] Modified pseudo-random distribution in NoelKDF

On Wed, Jan 22, 2014 at 07:43:53AM -0500, Bill Cox wrote:
> This reduced the 25% coverage attack to 24.5X penalty for a 1% cheat
> killer pass.  I did the same for the sliding window.  I increased the
> minimum edge length to pebble a node to 22,500 to keep it at 25.0%
> pebble coverage, and the penalty dropped to 0.88X for my 1% pass.

What is meant by a penalty of 0.88X?  Perhaps a penalty below 1X is not
actually a penalty.  Is this only a math abstraction useful for actually
relevant conclusions like:

> A 100% pass would have a penalty of 88X.  Also, a 20% pass (pebble every
> 16 instead of 12, and edge length <= 10,000) gets 10X penalty for 1%,
> or 1000X penalty for 100% coverage.
> 
> It still looks pretty good to me, though the cubed distribution seems
> stronger in defense.

... speaking of defense against TMTO only, but that's not the only thing
we should care about.  I don't want to move too far from uniform
distribution for reasons I previously explained.

Thank you for running these simulations!

Oh, and would you post the code for others in here to play with?  Have
you actually implemented working TMTO attacks (computing the hashes in
less memory, and checking them against test vectors), or are you only
calculating what it'd take?

Alexander

Powered by blists - more mailing lists