lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <5405E101.30502@dei.uc.pt>
Date: Tue, 02 Sep 2014 16:23:45 +0100
From: Samuel Neves <sneves@....uc.pt>
To: discussions@...sword-hashing.net
Subject: Re: [PHC] A review per day - Schvrch

On 09/02/2014 02:13 PM, Bill Cox wrote:
> However, if you want to have some fun, I think there is an even more
> serious attack that can be done which is worse than any of these that
> I've pointed out today.  If you want a fun challenge, examine the stir
> function carefully from the point of view of an attacker.  For
> example, data only flows from low bits to high bits.  The value of the
> low 8 bits out in no way depend on the upper 7 bytes of any word of
> state.  There may be a devastating module 256 attack here.  This is
> why people use ARX (add/rotate/xor) operations in secure hashes.
> POMELO uses these, plus unpredictable memory reads, frustrating my
> more serious attacks.  Schvrch has no rotate.  I suspect there is a
> very cool attack that can be made that takes advantage of this.  Have
> fun :-)

This is not correct. The comparison operation takes into account all bits of its operands, thus making the conditional
negation dependent on the upper bits of words as well. This does not have as fast diffusion as a rotation, for instance,
but diffusion from most to least significant bits does occur.

You can alternatively represent stir's inner loop as follows:

    const uint64_t x = state[(j+3)%256];
    const uint64_t y = state[(j+2)%256];
    const uint64_t c = (x^((x^y)|((x-y)^y))) >> 63;
    carry ^= state[(j+1)%256] ^ (c - 1);
    state[j] ^= carry;
    carry += mixer;

This way it might be easier to see how differences propagate from higher bits to lower bits.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ