lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 17 Sep 2014 11:53:33 +0200
From: Dmitry Khovratovich <>
To: "" <>
Subject: Re: [PHC] omegacrypt and timing

The running time will be different, but the question is how you are going
to exploit it without full hashing. Suppose you have the time information,
then you do only partial hashing and look at the running time of this part.
Both running times should have normal distribution, so you might be able to
calculate your advantage in terms of false positive and false negative
rates. However, to win even a factor of two, your distributions should have
very large sigma, which is doubtful if you have say millions of branches.

On Wed, Sep 17, 2014 at 10:56 AM, Krisztián Pintér <>

> can someone explain me how omegacrypt does not leak secret through
> timing? i mean total runtime, not cache timing.
> in the central part, we derive 0..3 number B from the secret, and
> based on that value we do different branches that has different number
> of operations. B will on average have all possible values with the
> same probability, but there will be a deviation. therefore for two
> given passwords, the total running time is different.
> i understand that memory latency screws up such fine grained timing,
> making practical attacks difficult. but theoretically there is a leak.
> am i right?

Best regards,
Dmitry Khovratovich

Content of type "text/html" skipped

Powered by blists - more mailing lists