[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <795434884.20140917202240@gmail.com>
Date: Wed, 17 Sep 2014 20:22:40 +0200
From: Krisztián Pintér <pinterkr@...il.com>
To: discussions@...sword-hashing.net
Subject: Re: [PHC] omegacrypt and timing
epixoip (at Wednesday, September 17, 2014, 7:17:21 PM):
> I've never heard that this was a no-no in the context of password
> hashing.
what is the fundamental difference between password hashing and other
areas that makes that rule not in effect?
> On the contrary, data-dependent branching is something that has
> been considered highly desireable in password hashing, but viewed as
> difficult to implement in a way where it is actually effective.
it is not contradictory. there can be positive effects, but it does
not make the negative effects nonexistent. one might say the benefits
outweigh the drawbacks.
however, i'm not convinced that a potential break worths the extra
defense. for all algorithms allowing it, i recommend countermeasures
against timing. for schvrch (or what the heck the name is) it is easy,
mostly just a little bit of care. for antcrypt, it is a great impact
on speed. for omegacrypt, there is some impact, but maybe not
devastating.
Powered by blists - more mailing lists