lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 11 Sep 2014 19:35:31 +0100
From: Samuel Neves <>
Subject: Re: [PHC] A review per day - Lyra2

On 09/11/2014 06:00 PM, Marcos Simplicio wrote:
> Well, we have been taking a look at the literature but only a few
> algorithms do employ multiplications in their design and even fewer are
> not considered broken or weakened...
> Considering the great performance provided by Blake2 (since it can beat
> MD5 and remain secure, I do not expect to find anything nearly as
> good!), we are actually considering adding multiplications to it and see
> what happens in terms of security and performance. It would at least be
> one alternative to plain Blake2 (we are not planning to force any choice
> for "f" anyway). I hope Samuel Neves and the other authors of Blake2 do not
> I would gladly use your multiplication chain for the sake of testing
> too, but I would not recommend it until further analysis (please do not
> take this personally, but I'm paid to be paranoid :) )

I can't speak for all of BLAKE2 team, but making some BLAKE2 variant is fine by me, so long as it's made explicit that
it's not the "real" BLAKE2.

Let me offer a suggestion: replace the '+' operation in the core permutation by f(x, y) = 2*x*y + x + y. This is a latin
square (invertible on both operands), like addition, and in my tests shows extremely quick diffusion (around twice as
fast to achieve full diffusion than the BLAKE2 version). This can be seen as the Z/2^nZ counterpart to NORX's f(x, y) =
x ^ y ^ ((x&y) << 1).

On the 32-bit version of the permutation, it is straightforward to replace vpaddd with vpmulld + vpaddd. For the 64-bit
version, there is no direct replacement, so the 64-bit multiplication must be emulated, or implemented without SIMD.
Luckily, the upcoming Skylake processors will include the vpmullq instruction with the AVX-512 instruction set, which
puts SIMD back on the table.

Powered by blists - more mailing lists