lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 18 Feb 2014 17:14:23 +0000
From: Samuel Neves <>
Subject: Re: OT: [PHC] multiply-hardening (Re: NoelKDF ready for submission)

On 15-02-2014 07:23, Dennis E. Hamilton wrote:
> This may be completely off in the weeds, but it crossed my mind and I have to ask.
> When creating multiplications of word-sized (W-bit) operands, if you produce a 2W-width product, does it work in your scenario to XOR the two product halves together in getting a new W-bit result?

A function similar to what you propose was used in the eSTREAM
submission Rabbit [1] as part of the core function: g(x) =  ( ((x +
c)*(x + c)) ^ ((x + c)*(x + c) >> 32) ), c is some constant. Rabbit was
quite successful.

More generally, in symmetric primitives integer multiplication seem to
have been used:

    - Modulo some prime, e.g., 2^16+1 in IDEA, 2^32-1 in MMB
(non-prime), 2^64+13 in DFC.
    - Modulo 2^32, using the 5 upper bits to define a variable-length
rotation count (MARS, RC6)
    - XOR the upper and lower halves of the full product (only in Rabbit
as far as I know).


Powered by blists - more mailing lists