lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 6 Aug 2014 10:31:25 -0700
From: Dmitry Khovratovich <>
To: "" <>
Subject: Tradeoff cryptanalysis of password hashing schemes

Hi all,

here is the link to the slides of the talk I have just given at
PasswordsCon'14. It investigates time-memory tradeoffs for PHC candidates
Catena, Lyra2, and Argon, and estimates the energy cost per password on an
optimal ASIC implementation with full or reduced memory.

Additional comment: It is a standard practice in the crypto community to
give explicit security claims for the recommended parameter sets so that
cryptanalysts could easily identify the primary targets. Many PHC
candidates do not follow this rule by not only missing these claims but
also concealing the recommended parameters. As a result, cryptanalysts like
me spend valuable time attacking wrong sets or spreading the attention over
multiple targets.

Remember: third-party cryptanalysis increases the confidence in your
design, not decreases it (unless it is badly broken). Analysis of a 5%-part
of your submission (one of 20 possible parameter sets) is little better
than no analysis at all. It is also worth mentioning that to make fair
comparison of candidates, benchmarks and performance discussion in general
should cover recommended parameter sets only.
Best regards,
Dmitry Khovratovich

Content of type "text/html" skipped

Powered by blists - more mailing lists