lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 03 Sep 2014 00:43:00 +0100
From: Samuel Neves <>
Subject: Re: [PHC] A review per day - Schvrch

On 09/02/2014 11:57 PM, Bill Cox wrote:
> Final note - it is not clear to me that having me review a hash
> demonstration makes sense.  I tried to avoid it, but failed to pull it
> off in a politically correct way.

FWIW, I think pointing out bugs in reference implementations is absolutely helpful. However, it should have no bearing
on the evaluation of the *algorithm*. There may be cases where the algorithm itself cannot be securely implemented, and
that is a more subtle matter.

In other words, if POMELO or Schvrch have input validation bugs, that does not mean they should be rejected, but it
should be pointed out nonetheless. However, if they present (say) nonrandom behavior or have practical distinguishers of
some kind, or have some computational shortcut, that is a much more serious indictment of the submission.

Content of type "text/html" skipped

Powered by blists - more mailing lists