lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 22 Aug 2014 17:02:47 +0400
From: Solar Designer <solar@...nwall.com>
To: discussions@...sword-hashing.net
Subject: Re: [PHC] What Microsoft Would like from the PHC - Passwords14 presentation

On Thu, Aug 21, 2014 at 06:58:05PM -0400, Bill Cox wrote:
> The authors also got yescript wrong in this column, with a "no" for cache
> timing resistance.  It obviously has the same cache timing resistance
> characteristics as the other hybrid designs, which are labelled with
> "maybe" rather than "no".

As it is, yescrypt only achieves the partial cache timing resistance
when both YESCRYPT_RW and YESCRYPT_PWXFORM are disabled, and the ROM
access mask is set such that the ROM isn't used until reaching SMix2
(or there's no ROM).  Unfortunately, in such configurations yescrypt
might not provide enough advantage over scrypt to justify deviating from
classic scrypt.  (Well, maybe with a ROM used in SMix2 the advantage is
sufficient.)

I am planning to add "optional full or partial cache timing side-channel
resistance", perhaps via extra flags, but it is not in there yet.

Alexander

Powered by blists - more mailing lists