lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CA+aY-u64u8ULtYRwMd6qZaiL0-qUC0OS8umKUSYksyJue0CzeQ@mail.gmail.com>
Date: Sat, 5 Apr 2014 19:29:21 +0100
From: Peter Maxwell <peter@...icient.co.uk>
To: "discussions@...sword-hashing.net" <discussions@...sword-hashing.net>
Subject: Re: [PHC] Re: Mechanical tests

On 5 April 2014 19:12, Daniel Franke <dfoxfranke@...il.com> wrote:

> "Poul-Henning Kamp" <phk@....freebsd.dk> writes:
>
> > This is not a KDF-contest.
> >
> > This is a password-scrambler contest.
>
> This message's thread-grandparent was a reply to Peter Maxwell, who wrote:
>
> > No, PHK's definition was, probably provably, correct (for password
> > hash or key derivation)​, assuming the *full* output is being used.
>
> I'm not disputing your (PHK's) claim that a function outputing 1000 bits
> with only 100 bits of entropy can be an acceptable password
> scrambler. I'm disputing Peter's claim that it can also be an acceptable
> KDF, and well as any claim (which I'm not attributing to anyone) that it
> can be an acceptable collision-resistant hash function.
>

Ok, to avoid this being an intractably long evening, please define
"entropy".​

If we choose a password from a space of, say, 2^64 -- just for argument's
sake -- then if your output space is >2^64 in size your function obviously
cannot be subjective, i.e. there are lots and lots of elements in the
codomain, y, say for which there isn't an x s.t. y = f(x).

In other words, it doesn't matter what we choose the output length to be,
2^128 or 2^1024, if the function is injective then you don't lose "entropy"
but you also don't fill the output space.

It doesn't mean it makes a good KDF but if the function is injective and
the codomain is larger than the domain, it does mean you do not lose this
very woolly definition of information.

Content of type "text/html" skipped

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ