lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 28 Feb 2014 00:11:39 +0400
From: Solar Designer <>
Subject: Re: [PHC] "Predictable" vs "pseudorandom" KDFs

On Thu, Feb 27, 2014 at 12:30:50PM -0700, Taylor Hornby wrote:
> On 02/27/2014 06:45 AM, Bill Cox wrote:
> > I need a short name for cache-timing-attack resistant KDFs which do no
> > password dependent memory addressing.  I use the phrase 20 times in my
> > paper, and "KDFs which do no password dependent memory addressing" is
> > a mouthful.  I also use "KDFs which do password dependent addressing
> > from the start" about 20 times, and I discuss my "hybrid" version,
> > which like Scrypt, does the no-password-addressing thing in the first
> > loop, and does the password-dependent thing in the second.
> > 
> > Could we call the first type "predictable" KDFs, since they do only
> > predictable address lookups?  The second type could be "pseudorandom"
> > KDFs.  Are these good names?  I find it is hard for a group to discuss
> > ideas that have no concise name.
> I feel like "predictable" without any other qualifications would
> conflict too much with other uses


> How about "blinded" and "unblinded" (or "nonblinded")?

I dislike these because they emphasize way of achieving something rather
than that end result itself, and in fact blinding might not always be
the way (and in Bill's example is not).

How about "cache timing safe" and "cache timing unsafe"?


Powered by blists - more mailing lists