lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 22 Aug 2014 20:09:47 +0000
From: Greg Zaverucha <>
To: "" <>
Subject: RE: [PHC] What Microsoft Would like from the PHC - Passwords14

Hi Alexander, thanks for your comments!

To your first comment (security with low memory), this is a good point, one we hadn't discussed.  In the comparison, candidates were marked Yes for "use cases" if it was technically possible to use them in each use case.  The goal was to quickly identify candidates for a second round of deeper analysis (including security). 

In terms of side-channels, candidates were marked "Yes" if this was a design goal and/or no obvious timing channels exist.  A proper evaluation of this criteria requires more time than I had available to spend on each candidate.  So a "Yes" isn't a guarantee of side-channel resistance, just that it is potentially side-channel resistant (this was in my notes, but didn't make it to the slides, unfortunately).    For Pufferfish v0, I didn't see any data-dependent branches, memory accesses, or variable time operations, and the authors make no claims and provide no analysis.  


-----Original Message-----
From: Solar Designer [] 
Sent: Thursday, August 21, 2014 2:29 PM
Subject: Re: [PHC] What Microsoft Would like from the PHC - Passwords14 presentation

On Fri, Aug 15, 2014 at 06:17:27PM +0000, Marsh Ray wrote:
> Passwords14 presentation: What Microsoft Would like from the PHC
> Slides attached.
> Video:

Very nice presentation, thank you!

Here's a biased opinion:

On slide 14, "Use Case 1 - Online Services", you state "Multiple authentication servers, each handles 100s of requests/second".  This means fairly low memory, possibly below 16 MB RAM per hash computed.
(Depends on how many 100s of requests/second per server you need to support.  Perhaps several times more than the peak seen so far; this is how we arrived at 1000s per second for yescrypt.)  Then on slide 35, "Comparison", you list many PHC candidates as supporting all of your use cases.  To me, some of them are unsuitable for "low memory" usage - they will work, but they are unlikely to provide GPU attack resistance comparable to bcrypt's at same defensive request rate capacity.  Is being at least on par with bcrypt at your use cases not a requirement?

Here's what I think is an error:

Is Pufferfish v0 really side-channel resistant?  I think it's similar to bcrypt in this respect, and we don't consider bcrypt to be cache-timing attack resistant, or do we?

(I don't imply that all other PHC candidates with a "Yes" in that column are necessarily side-channel resistant.  I merely noticed this one apparent error.  There might be more.)

Thanks again,


Powered by blists - more mailing lists