lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 06 Aug 2014 18:10:28 -0300
From: Marcos Simplicio <>
Subject: Re: [PHC] Tradeoff cryptanalysis of password hashing schemes

Hi, all.

Very interesting analysis! We noticed the same attack venue described in
slide 47 for Lyra2 some time ago, so we provided and evaluated a simple
fix in the version provided in our website (, see
section of the specification). I'm not sure how the tradeoffs
table is affected by this fix, but the costs are likely to grow (at
least that was my impression by crossing your results with our
preliminary analysis).

BTW, the document in our website is being continuously updated as new
tests are performed, so we expect to introduce this and possibly other
tweaks in the corresponding phase of the PHC. We are still evaluating
the "possible extensions" mentioned in the original submission, for example.



On 06-Aug-14 14:31, Dmitry Khovratovich wrote:
> Hi all,
> here is the link to the slides of the talk I have just given at
> PasswordsCon'14. It investigates time-memory tradeoffs for PHC candidates
> Catena, Lyra2, and Argon, and estimates the energy cost per password on an
> optimal ASIC implementation with full or reduced memory.
> Additional comment: It is a standard practice in the crypto community to
> give explicit security claims for the recommended parameter sets so that
> cryptanalysts could easily identify the primary targets. Many PHC
> candidates do not follow this rule by not only missing these claims but
> also concealing the recommended parameters. As a result, cryptanalysts like
> me spend valuable time attacking wrong sets or spreading the attention over
> multiple targets.
> Remember: third-party cryptanalysis increases the confidence in your
> design, not decreases it (unless it is badly broken). Analysis of a 5%-part
> of your submission (one of 20 possible parameter sets) is little better
> than no analysis at all. It is also worth mentioning that to make fair
> comparison of candidates, benchmarks and performance discussion in general
> should cover recommended parameter sets only.

Powered by blists - more mailing lists