| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <530394EF.7010808@dei.uc.pt>
Date: Tue, 18 Feb 2014 17:14:23 +0000
From: Samuel Neves <sneves@....uc.pt>
To: discussions@...sword-hashing.net
Subject: Re: OT: [PHC] multiply-hardening (Re: NoelKDF ready for submission)
On 15-02-2014 07:23, Dennis E. Hamilton wrote:
> This may be completely off in the weeds, but it crossed my mind and I have to ask.
>
> When creating multiplications of word-sized (W-bit) operands, if you produce a 2W-width product, does it work in your scenario to XOR the two product halves together in getting a new W-bit result?
>
A function similar to what you propose was used in the eSTREAM
submission Rabbit [1] as part of the core function: g(x) = ( ((x +
c)*(x + c)) ^ ((x + c)*(x + c) >> 32) ), c is some constant. Rabbit was
quite successful.
More generally, in symmetric primitives integer multiplication seem to
have been used:
- Modulo some prime, e.g., 2^16+1 in IDEA, 2^32-1 in MMB
(non-prime), 2^64+13 in DFC.
- Modulo 2^32, using the 5 upper bits to define a variable-length
rotation count (MARS, RC6)
- XOR the upper and lower halves of the full product (only in Rabbit
as far as I know).
[1] http://www.ecrypt.eu.org/stream/e2-rabbit.html
Powered by blists - more mailing lists