lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 2 Oct 2014 13:56:14 +0200
From: Dmitry Khovratovich <khovratovich@...il.com>
To: "discussions@...sword-hashing.net" <discussions@...sword-hashing.net>
Subject: Re: [PHC] Design Rationale and Security Analysis of PHC candidates

You convinced me.

Assuming random ROM (this is important, collisions are easy if ROM can be
partially chosen) and fixed salt length, you can show that the entire
construction is as secure as the duplex construction.

I will correct the table accordingly.

On Thu, Oct 2, 2014 at 1:20 PM, Krisztián Pintér <pinterkr@...il.com> wrote:

> On Thu, Oct 2, 2014 at 12:50 PM, Dmitry Khovratovich
> <khovratovich@...il.com> wrote:
> > The reason is that collision/preimage-resistance/PRF properties of the
> > primitive do not translate automatically to the mode of operation.
>
> however in this case the mode of operation is the *same* as in the
> underlying primitive. i don't use keccak. gambit *is* keccak. it
> directly inherits security properties from the duplex construction.
>
> > in Gambit you did not encode both
> > password and salt lengths in the Absorb operation, you'd be in trouble
> even
> > though you use the sponge construction properly.
>
> i defined the salt as fixed length. it is explained in the document,
> as well as it is clear from the source code.
>



-- 
Best regards,
Dmitry Khovratovich

Content of type "text/html" skipped

Powered by blists - more mailing lists