| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CALW8-7L0qHyA59N7qC61CYCDZoP_C2LeKLROKztey2AXoqO2gA@mail.gmail.com>
Date: Wed, 17 Sep 2014 11:53:33 +0200
From: Dmitry Khovratovich <khovratovich@...il.com>
To: "discussions@...sword-hashing.net" <discussions@...sword-hashing.net>
Subject: Re: [PHC] omegacrypt and timing
The running time will be different, but the question is how you are going
to exploit it without full hashing. Suppose you have the time information,
then you do only partial hashing and look at the running time of this part.
Both running times should have normal distribution, so you might be able to
calculate your advantage in terms of false positive and false negative
rates. However, to win even a factor of two, your distributions should have
very large sigma, which is doubtful if you have say millions of branches.
On Wed, Sep 17, 2014 at 10:56 AM, Krisztián Pintér <pinterkr@...il.com>
wrote:
> can someone explain me how omegacrypt does not leak secret through
> timing? i mean total runtime, not cache timing.
>
> in the central part, we derive 0..3 number B from the secret, and
> based on that value we do different branches that has different number
> of operations. B will on average have all possible values with the
> same probability, but there will be a deviation. therefore for two
> given passwords, the total running time is different.
>
> i understand that memory latency screws up such fine grained timing,
> making practical attacks difficult. but theoretically there is a leak.
> am i right?
>
--
Best regards,
Dmitry Khovratovich
Content of type "text/html" skipped
Powered by blists - more mailing lists