lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 12 Dec 2014 19:02:09 -0800
From: "Jeremy Spilman" <>
Cc:, "Thomas Pornin" <>,
Subject: Re: [PHC] Some KDF stumbling blocks, plus Common "memory-hard"
 approaches and amortized attack costs.

> On Fri, Dec 12, 2014 at 10:38:05PM +0000, Gregory Maxwell wrote:
>> I am saddened that none of the proposals supported delegation scheme
>> with information-theoretic security ( which are possible,
>> )

On Fri, 12 Dec 2014 16:22:58 -0800, Thomas Pornin <> wrote:
> (Minor terminology nitpick: none of the above is "information-theoretic
> security". That term designates algorithms that remain secure against
> attackers with unbounded computing abilities. By definition, this cannot
> apply to password hashing, where exhaustive search always succeeds in
> the long run. Also, anything involving a non-prime modulus can be broken
> by factoring the modulus.)

I was reading Florêncio, Herley and Oorschot's recently published  
'Administrator's Guide to Internet Password Research' a couple weeks ago  
( and in  
it I found a curious reference...;

[15] G. D. Crescenzo, R. J. Lipton, and S. Walfish. Perfectly se-
cure password protocols in the bounded retrieval model. In TCC,
pages 225–244, 2006.

This is certainly the earliest reference I've found yet of applying the  
'security by obesity' concept. Crescenzo offers a formal proof for  
security against a computationally unbounded attacker in the bounded  
retrieval model (e.g. physically too big to steal over the network).

What I've been calling Blind Hashing takes the bounded retrieval model  
(wish I knew that term back in 2012!) and combines it with delegation to a  
untrusted central data pool using a keyed hash to adaptively index the  
data pool and retrieve a second [512-bit] salt/key for use in further  

We're still beta / pre-launch (soon, soon!) but a write-up is here: I  
felt it's mainly out-of-scope for PHC since it works in concert with any  
hashing function, and it's a commercial service to boot, but there is zero  
chance of me passing up an opportunity to discuss delegation and  
information-theoretic security with GMaxwell, TPornin, and CHerley on the  
PHC list!

Powered by blists - more mailing lists