lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 9 Aug 2014 13:46:18 -0700
From: Jean-Philippe Aumasson <jeanphilippe.aumasson@...il.com>
To: discussions@...sword-hashing.net
Subject: Re: [PHC] Tradeoff cryptanalysis of password hashing schemes

I agree with Dmitry that more accurate security claims would help
cryptanalysts to understand what qualifies as an attack. It will also
help the PHC panel assessing the relative value of the submissions.
Refine security claims will thus be regarded positively by the panel.


On Wed, Aug 6, 2014 at 10:31 AM, Dmitry Khovratovich
<khovratovich@...il.com> wrote:
> Hi all,
>
> here is the link to the slides of the talk I have just given at
> PasswordsCon'14. It investigates time-memory tradeoffs for PHC candidates
> Catena, Lyra2, and Argon, and estimates the energy cost per password on an
> optimal ASIC implementation with full or reduced memory.
>
> https://www.cryptolux.org/images/5/57/Tradeoffs.pdf
>
> Additional comment: It is a standard practice in the crypto community to
> give explicit security claims for the recommended parameter sets so that
> cryptanalysts could easily identify the primary targets. Many PHC candidates
> do not follow this rule by not only missing these claims but also concealing
> the recommended parameters. As a result, cryptanalysts like me spend
> valuable time attacking wrong sets or spreading the attention over multiple
> targets.
>
> Remember: third-party cryptanalysis increases the confidence in your design,
> not decreases it (unless it is badly broken). Analysis of a 5%-part of your
> submission (one of 20 possible parameter sets) is little better than no
> analysis at all. It is also worth mentioning that to make fair comparison of
> candidates, benchmarks and performance discussion in general should cover
> recommended parameter sets only.
> --
> Best regards,
> Dmitry Khovratovich

Powered by blists - more mailing lists