| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 04 Apr 2014 22:06:11 -0400 From: Daniel Franke <dfoxfranke@...il.com> To: discussions@...sword-hashing.net Subject: Re: [PHC] Re: EARWORM review Bill Cox <waywardgeek@...il.com> writes: > You're not the first author to feel it would be too much like Solar > Designer's work to make a nice improvement. I like everything about yescrypt except for its complexity. I hope that EARWORM, which is much simpler, holds up well. But if it doesn't, and it turns out that a medium-to-large RAM is truly necessary in order to achieve acceptable security levels, then I think the better path to perfection consists of ripping unnecessary things out of yescrypt, not bolting new ones onto EARWORM. > EARWORM is well differentiated from yescript, IMO. It is a slimmer > simpler special purpose tool. The reliance on AESENC instructions and > the super fast read-only hashing sets it apart. EARWORM's hashing speed is certainly a selling point, but its reliance specialized CPU features certainly isn't! > My theoretical attack boarders on a banana attack, but I think it's > worth keeping in mind. I wouldn't make the change you're suggesting in > response to it. I really do like EARWORM the way it is. Even if the change doesn't significantly mitigate any known attack, on further reflection I think EARWORM is currently breaking a cardinal rule of cryptographic design: unnecessary structure is bad! I guess I can postpone my decision on EARWORM until the next round, but the GPU-friendly variant I'm developing (it's going to be called GLOWWORM) is definitely going to have a flat arena.
Powered by blists - more mailing lists