| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <87k3b3okah.fsf@wolfjaw.dfranke.us> Date: Sat, 05 Apr 2014 11:41:58 -0400 From: Daniel Franke <dfoxfranke@...il.com> To: "Poul-Henning Kamp" <phk@....freebsd.dk> Cc: discussions@...sword-hashing.net Subject: Re: Mechanical tests "Poul-Henning Kamp" <phk@....freebsd.dk> writes: > Dieharder looks for bits which do not carry one full bit of entropy, > whivh is important if you are in the market for random-looking bits. > > We are not, we are in the business of making sure that entropy is > not lost, and we do not care if an algorithm spits out 100 bits > with full entropy or 1000 bits each with only 1/10th bit of entropy. Some of the PHC candidates claim to be key derivation functions. In those cases we most assuredly do care about this. It would mean that the effective length of your derived key is only a 1/10 what you thought it was. POMELO's submission document doesn't use the words "key derivation function", but it does claim collision resistance. But if you can find a sequence of inputs which causes the outputs to fails the diehard_birthdays test, then obviously you've reduced its collision resistance to at least something less than 2**(outlen/2) (for outlen expressed in bits). In this case, inputs of 0, 1, 2, 3... did the job.
Powered by blists - more mailing lists