| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CALW8-7K4vP0a_7WBKtqxMaG=s4HBq9uRDNon2sbYp8h7uvP_=g@mail.gmail.com>
Date: Thu, 2 Oct 2014 13:56:14 +0200
From: Dmitry Khovratovich <khovratovich@...il.com>
To: "discussions@...sword-hashing.net" <discussions@...sword-hashing.net>
Subject: Re: [PHC] Design Rationale and Security Analysis of PHC candidates
You convinced me.
Assuming random ROM (this is important, collisions are easy if ROM can be
partially chosen) and fixed salt length, you can show that the entire
construction is as secure as the duplex construction.
I will correct the table accordingly.
On Thu, Oct 2, 2014 at 1:20 PM, Krisztián Pintér <pinterkr@...il.com> wrote:
> On Thu, Oct 2, 2014 at 12:50 PM, Dmitry Khovratovich
> <khovratovich@...il.com> wrote:
> > The reason is that collision/preimage-resistance/PRF properties of the
> > primitive do not translate automatically to the mode of operation.
>
> however in this case the mode of operation is the *same* as in the
> underlying primitive. i don't use keccak. gambit *is* keccak. it
> directly inherits security properties from the duplex construction.
>
> > in Gambit you did not encode both
> > password and salt lengths in the Absorb operation, you'd be in trouble
> even
> > though you use the sponge construction properly.
>
> i defined the salt as fixed length. it is explained in the document,
> as well as it is clear from the source code.
>
--
Best regards,
Dmitry Khovratovich
Content of type "text/html" skipped
Powered by blists - more mailing lists