[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <loom.20140405T231450-276@post.gmane.org>
Date: Sat, 5 Apr 2014 21:28:39 +0000 (UTC)
From: Evgeny Kapun <abacabadabacaba@...il.com>
To: discussions@...sword-hashing.net
Subject: Re: Yarn issues
Bill Cox <waywardgeek@...> writes:
> The last PHS submission I read (because of it's position in the
> alphabet) was Yarn. He didn't submit his code with the PHS prototype,
> which annoyed me, because I'm trying to compile it. There's no
> Makefile, no main function, indentation by tab (one keystroke) and
> there's not one freaking comment in his code. Grr...
I did resubmit with the PHS prototype (before the deadline, of course),
but for some reason the first version was used rather than the second
one.
> What are the odds that he messed up on his Blake2b or AES
> implementations, which seem to be written in his style, so I'm
> guessing he wrote them from scratch? I'm not going to take that
> bet... I did check his initial key derivation. I'd say at least
> 1/3rd of the entries have obvious input collisions, mostly from doing
> H(password || salt), which allows trivial collisions by moving the
> boundary between password and salt.
I've checked both AES and Blake2b against known outputs, so they are
most likely correct.
> If I am not mistaken, he has input collisions on both salt, and a
> parameter called "pers". Both are padded with 0's to 8 bytes, and
> XOR-ed onto Blake2b state, so adding additional 0's up to a total
> length of 8 doesn't change the output. The password is free of such
> collisions, so this isn't a critical issue. He also has a spelling
> error on the last line of his README
Blake2b has exactly the same kind of collisions. Even Blake has only
fixed-width salt.
Powered by blists - more mailing lists