lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 5 Apr 2014 17:48:06 +0100
From: Peter Maxwell <>
To: "" <>
Subject: Re: [PHC] Re: Mechanical tests

On 5 April 2014 16:41, Daniel Franke <> wrote:

> "Poul-Henning Kamp" <> writes:
> > Dieharder looks for bits which do not carry one full bit of entropy,
> > whivh is important if you are in the market for random-looking bits.
> >
> > We are not, we are in the business of making sure that entropy is
> > not lost, and we do not care if an algorithm spits out 100 bits
> > with full entropy or 1000 bits each with only 1/10th bit of entropy.
> Some of the PHC candidates claim to be key derivation functions. In
> those cases we most assuredly do care about this. It would mean that the
> effective length of your derived key is only a 1/10 what you thought it
> was.

​No, PHK's definition was, probably provably, correct (for password hash or
key derivation)​, assuming the *full* output is being used.

> POMELO's submission document doesn't use the words "key derivation
> function", but it does claim collision resistance. But if you can find a
> sequence of inputs which causes the outputs to fails the
> diehard_birthdays test, then obviously you've reduced its collision
> resistance to at least something less than 2**(outlen/2) (for outlen
> expressed in bits). In this case, inputs of 0, 1, 2, 3... did the job.

Collision resistance is different from "estimating" entropy in specific
bits, which is a different - albeit important for KDFs - kettle of fish.

Content of type "text/html" skipped

Powered by blists - more mailing lists