lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 15 Apr 2014 16:46:52 -0300 (BRT)
From: Marcos Antonio Simplicio Junior <mjunior@...c.usp.br>
To: discussions@...sword-hashing.net
Subject: Re: [PHC] gambit wiki strength

Hi. 

> Lyra contrasts it's reverse order to bit-reversal, and adopted a
> cache-timing-resistant first loop in what I call a "hybrid"
> architecture. I'm hopeful I might have influenced this decision to
> go hybrid, but it was probably Catena. IIRC, the original Lyra had
> little cache-timing attack resistance (like Scrypt), but I could be
> wrong.
Don't underestimate yourself, Bill: your discussion on the Setup of Catena and Lyra made us think more about it, so you did influence the design of Lyra2. :-) 

OTOH, to be honest we were focusing on time-memory trade-offs rather than obtaining better cache-timing resistance. Lyra2 is indeed more resistant to cache-timing attacks than Lyra, but this was a "plus" rather than our original goal. That being said, it is hard to say if the resistance obtained is good enough, and that is why I would rather put this as a potential weakness as mentioned in my other e-mail. 

BR, 

Marcos. 

Content of type "text/html" skipped

Powered by blists - more mailing lists