lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 15 Apr 2014 21:37:42 -0300 (BRT)
From: Marcos Antonio Simplicio Junior <mjunior@...c.usp.br>
To: discussions@...sword-hashing.net
Subject: Re: [PHC] more woes, last woes

Hi, Bill. 

We have tested a few ideas and "manually" pebbled them trying to find a reasonably good strategy. As discussed in the documentation, our "reverse visitation" combined with the XOR with future nodes did a reasonably good job (surprisingly even for us, better than bit reversal when we reduced the memory usage to 1/8!). That is why we went with this simple approach. Actually, maybe the documentation can give you an idea on how to take advantage of the "one input tells me the other" issue, which we considered in this manual pebbling. 

I shall say, though, that we are not completely sure about which is the best alternative. I personally feel that there may be better (and similarly simple) approaches, which we plan to programmatically test before the "tweak phase". One that seems particularly promising is to XOR the rotated sponge's output from left to right (rather than right to left as today), and then read nodes from right to left as today but with a growing step as the memory filling progresses. We will let you know the results :-) 

Marcos. 

----- Mensagem original -----

> De: "Bill Cox" <waywardgeek@...il.com>
> Para: discussions@...sword-hashing.net
> Enviadas: Terça-feira, 15 de Abril de 2014 18:50:29
> Assunto: Re: [PHC] more woes, last woes

> Looking at the Lyra2 code again, I see that rowa is XOR-ed with a
> 64-bit rotation of the 768-bit state. I did not model this. One way
> to deal with it is to double the graph size, since two nodes are
> written at each step rather than one. As with Gambit, I'm not sure
> exactly what to make of the XOR vs a stronger function. Knowing the
> value of the XOR-ed node, and one input tells me the other, and I'm
> sure that can be used to improve a pebbling attack, but I haven't
> any clue how to enhance the algorithm to take good advantage of
> this.

> However, I am not a fan of the backwards counting edge destination.
> There are several alternatives that perform well.

> Bill
Content of type "text/html" skipped

Powered by blists - more mailing lists