lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CALW8-7K5kSZWF0uDJcmkcZGtSVhCY34mw1wvqRjqHhMagE4_dw@mail.gmail.com>
Date: Thu, 2 Oct 2014 12:50:31 +0200
From: Dmitry Khovratovich <khovratovich@...il.com>
To: "discussions@...sword-hashing.net" <discussions@...sword-hashing.net>
Subject: Re: [PHC] Design Rationale and Security Analysis of PHC candidates

The value "Explored" stands for the case when the designers actually try to
mount a collision/preimage attack on their design and show why it fails. It
is not the best possible option: ideally, one would provide some sort of
security proof that reduces the security of the mode of operation (which
the hashing scheme is) to the security of the underlying primitive, and
thus get the grade "Verified" or "Proven".

The reason is that collision/preimage-resistance/PRF properties of the
primitive do not translate automatically to the mode of operation. Examples
are well-known: forgeries for CBC-MAC, length extension for Merkle-Damgard,
etc.Security proofs might be easy (Merkle-Damgard) or sophisticated (HMAC).

Even if the inputs are short (as in the password hashing) you can still
easily mess things up. For example, if in Gambit you did not encode both
password and salt lengths in the Absorb operation, you'd be in trouble even
though you use the sponge construction properly.

That was the motivation not to give the "perfect" grade to _any_ submission
in the list.

Hope this resolves the problem,
Dmitry

On Thu, Oct 2, 2014 at 9:46 AM, Krisztián Pintér <pinterkr@...il.com> wrote:

> On Tue, Sep 30, 2014 at 1:12 PM, Dmitry Khovratovich
> <khovratovich@...il.com> wrote:
> > https://www.cryptolux.org/images/4/4f/PHC-overview.pdf
>
> one more question/observation: i don't understand the reason for
> gambit's basic crypto being "claimed" as opposed to "explored", since
> it inherits these properties from the underlying sponge, in the
> proposed instance, keccak. what other exploration is needed?
>



-- 
Best regards,
Dmitry Khovratovich

Content of type "text/html" skipped

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ