lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 04 Apr 2014 22:06:11 -0400
From: Daniel Franke <>
Subject: Re: [PHC] Re: EARWORM review

Bill Cox <> writes:

> You're not the first author to feel it would be too much like Solar
> Designer's work to make a nice improvement.

I like everything about yescrypt except for its complexity. I hope that
EARWORM, which is much simpler, holds up well. But if it doesn't, and it
turns out that a medium-to-large RAM is truly necessary in order to
achieve acceptable security levels, then I think the better path to
perfection consists of ripping unnecessary things out of yescrypt, not
bolting new ones onto EARWORM.

> EARWORM is well differentiated from yescript, IMO.  It is a slimmer
> simpler special purpose tool.  The reliance on AESENC instructions and
> the super fast read-only hashing sets it apart.

EARWORM's hashing speed is certainly a selling point, but its reliance
specialized CPU features certainly isn't!

> My theoretical attack boarders on a banana attack, but I think it's
> worth keeping in mind. I wouldn't make the change you're suggesting in
> response to it.  I really do like EARWORM the way it is.

Even if the change doesn't significantly mitigate any known attack, on
further reflection I think EARWORM is currently breaking a cardinal rule
of cryptographic design: unnecessary structure is bad! I guess I can
postpone my decision on EARWORM until the next round, but the
GPU-friendly variant I'm developing (it's going to be called GLOWWORM)
is definitely going to have a flat arena.

Powered by blists - more mailing lists