lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 17 Apr 2014 23:02:24 +0400
From: Solar Designer <solar@...nwall.com>
To: discussions@...sword-hashing.net
Subject: Re: [PHC] Lyra2 initial review

On Thu, Apr 17, 2014 at 02:31:55PM -0400, Bill Cox wrote:
> Alexander's time cost parameter is used in a way that seems to increase
> memory writes in a manner similar to Lyra2, if I'm not mistaken.  If I
> understand things right, there's some ratio of Lyra2 t_cost to Yescript
> t_cost where both have roughly equal TMTO resistance.

Yes, I think so too.

In case an unexpectedly effective TMTO attack on yescrypt is found, it
may be remedied by recommending a higher t, which is already a tunable.
(So this may be done at any point in the future, for future yescrypt
hashes, while retaining compatibility.)  Since t=1 and t=2 have only
slight impact on normalized area-time (reducing it to 96% and 89% of
optimal, respectively), they may be chosen over t=0 to gain extra TMTO
resistance, if desired.  At this time, though, I think t=0's TMTO
resistance is sufficient.

It sounds like Lyra2's defaults correspond to lower normalized area-time
(something like 50% of optimal?) than even yescrypt's t=2.

Alexander

Powered by blists - more mailing lists