lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 22 Aug 2014 19:35:47 +0400
From: Solar Designer <solar@...nwall.com>
To: discussions@...sword-hashing.net
Subject: Re: [PHC] Tradeoff cryptanalysis of password hashing schemes

On Fri, Aug 22, 2014 at 06:31:24PM +0400, Solar Designer wrote:
> Suppose you'd optimally attack Catena-3 at 1/32 memory, and Lyra2 and
> Argon at full memory.  However, if Catena-3 at same defensive memory
> cost setting is e.g. twice faster than Lyra2 and Argon (an arbitrary
> number for the sake of illustrating my point), then this may enable a
> defender to use roughly twice more memory with Catena-3 to achieve the
> same (maximum affordable) time cost per hash computed.  Once Catena-3 is
> tuned like that, its non-tradeoff area-time cost probably grows by a
> factor of 4, meaning that it loses to Lyra2 and Argon only by a factor
> of 8, not 32 as this could have originally appeared.

I was wrong in "only by a factor of 8, not 32".  For a moment I confused
1/32 being the optimal tradeoff point as the attack being 32 times
cheaper, but it's not as bad as that.

Alexander

Powered by blists - more mailing lists