lists.openwall.net  lists / announce owlusers owldev johnusers johndev passwdqcusers yescrypt popa3dusers / osssecurity kernelhardening musl sabotage tlsify passwords / cryptdev xvendor / Bugtraq FullDisclosure linuxkernel linuxnetdev linuxext4 linuxhardening PHC  
Open Source and information security mailing list archives
 

Date: Sat, 13 Dec 2014 16:28:49 +0000 (UTC) From: Adam Back <adam@...herspace.org> To: discussions@...swordhashing.net Subject: Re: Some KDF stumbling blocks, plus Common Thomas Pornin <pornin@...> writes: > cool I see you arrived at the idea of delegation via blinding and the same basic mechanism using RivestWagner timelock. > On Fri, Dec 12, 2014 at 10:38:05PM +0000, Gregory Maxwell wrote: > > I am saddened that none of the proposals supported delegation scheme > > with informationtheoretic security ( which are possible, > > https://bitcointalk.org/index.php?topic=311000.0 ) > > Actually, the delegation system described in that page may leak some > information. It blinds a message m to hash with: > > r = (g^b)*m > > where g is a known generator, and b is chosen randomly. The value b > tends to be reused It is a security assumption of blinding schemes in general that the blinding factor, b here, is never reused. > because the unblinding value y = g^e is expensive to > compute g^e is computed cheaply during the setup phase where the user knows the factorisation of n. I do not assume any trusted party that knows the factorisation of n: n is generated by the user. >  There is not one secret blinding pair (x,y) (where y=x^e), but 300 > public blinding pairs. The client generates a new pair for each > delegation instance by selecting randomly half (or so) of the pairs > and multiplying them together. Compared to the blinding described > previously, the cost for the client is higher (an average of 300 > modular multiplications) but still acceptable (it is less than that > of a single RSA private key operation). I think you are saying this would be slower, take more storage than the method I describe. Do you see some advantage? > (Minor terminology nitpick: none of the above is "informationtheoretic > security". That term designates algorithms that remain secure against > attackers with unbounded computing abilities. By definition, this cannot > apply to password hashing, where exhaustive search always succeeds in > the long run. Also, anything involving a nonprime modulus can be broken > by factoring the modulus.) My scheme does provide information theoretic security because all passwords are equiprobable due to the random blinding and so no information is leaked. I think your method loses information theoretic security because the way you generate the blinding factor has number of values c(300,150)<n. With my method b is uniform random from [0,n). Factoring the modulus does not change this fact it just makes calculations faster. Adam
Powered by blists  more mailing lists