| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CALW8-7JV4uuyMptm1aLip+F3GZPMSOmV6Z5Nw_9U37pyO_6obg@mail.gmail.com>
Date: Wed, 6 Aug 2014 10:31:25 -0700
From: Dmitry Khovratovich <khovratovich@...il.com>
To: "discussions@...sword-hashing.net" <discussions@...sword-hashing.net>
Subject: Tradeoff cryptanalysis of password hashing schemes
Hi all,
here is the link to the slides of the talk I have just given at
PasswordsCon'14. It investigates time-memory tradeoffs for PHC candidates
Catena, Lyra2, and Argon, and estimates the energy cost per password on an
optimal ASIC implementation with full or reduced memory.
https://www.cryptolux.org/images/5/57/Tradeoffs.pdf
Additional comment: It is a standard practice in the crypto community to
give explicit security claims for the recommended parameter sets so that
cryptanalysts could easily identify the primary targets. Many PHC
candidates do not follow this rule by not only missing these claims but
also concealing the recommended parameters. As a result, cryptanalysts like
me spend valuable time attacking wrong sets or spreading the attention over
multiple targets.
Remember: third-party cryptanalysis increases the confidence in your
design, not decreases it (unless it is badly broken). Analysis of a 5%-part
of your submission (one of 20 possible parameter sets) is little better
than no analysis at all. It is also worth mentioning that to make fair
comparison of candidates, benchmarks and performance discussion in general
should cover recommended parameter sets only.
--
Best regards,
Dmitry Khovratovich
Content of type "text/html" skipped
Powered by blists - more mailing lists