lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 11 Feb 2015 20:13:38 +0000
From: Samuel Neves <>
Subject: Re: [PHC] PHC status report

Dear Donghoon,

As I understand, you are claiming that we 1) changed the selection criteria from the original ones 2) made them
inherently subjective and unjustifiable.

The criteria you focus on are:

 - Elegance
 - Originality and inovation

Regarding elegance, I don't see this as a changed criteria, but as a rewording of the original criteria. From the call,
under the 'Simplicity' bullet point:

 - Overall clarity of the scheme (design symmetries, modularity, etc.).
 - Ease of implementation (coding, testing, debugging, integration).
 - Use of other primitives or constructions internally (the fewer, the better).

I see elegance as the first of these: a more elegant design is one that is more symmetric and easier to understand. I
don't see this as any less subjective than the original call, and to my knowledge there were no major complaints about
the original criteria.

A second quote from the call: "Submitters are encouraged to propose innovative constructions and methods for protecting
passwords against attackers ...". It seems clear to me that the original intention of the call was to encourage
innovation in the submissions received, and what other way to reward innovation other than to move more innovative
submissions to the next stages of the competition?

You also claim that, unlike other competitions like AES and SHA-3, the employed criteria not only changed, but also were
inherently prone to favoritism and biases. I am obviously too young to have been present during the AES process, but I
remember NIST also changing criteria during the SHA-3 process. NIST:

 - Added new criteria, "complementing SHA-2", "a very clean and elegant design", the main justifications for Keccak's
 - Ignored its own criterion that the performance of SHA-3 on the reference platform had to be at least as good as SHA-2.

This is not to try and put NIST or SHA-3 in a negative light. What NIST knew when the call was written was not what NIST
knew when the process about about to finish; certain aspects changed in relevance midway, and NIST adjusted their
priorities and criteria as they saw fit.

Usual disclaimer: these are my opinions and perspectives and do not necessarily reflect the entire panel's.

Best regards,
Samuel Neves

On 11-02-2015 19:22, Donghoon Chang wrote:
> I would like to add more comments on the following new criteria.
> 1. Elegance of design
> 2. Originality and innovation
> Unlike the criteria in art or literature, the criteria of standards or
> algorithms related to the security of system should be able to be measured
> by scientific ways.
> Now, a question arises, "given an algorithm, how can we measure the
> elegance of design and originality and innovation of the algorithm in
> scientific ways?"
> As far as I know, there were (or are) no such criteria in cases of AES,
> SHA-3, Caesar competitions, because such criteria are not scientifically
> measurable! I believe that they can be only measurable by a biased
> favoritism!
> In the link (, it is written, "To
> identify new password hashing schemes suitable for widespread adoption, the
> PHC follows the model of focused cryptographic competitions such as AES,
> eSTREAM, or SHA-3 (see the Cryptographic competitions
> <> website)." However, I wonder whether the
> PHC follows the model of focused cryptographic competitions or not.
> - Donghoon Chang
> 2015-02-11 21:16 GMT+05:30 Donghoon Chang <>:
>> In the beginning of the competition, the criteria were clearly mentioned
>> from the following link.
>> However, as mentioned from another following link, when 9 candidates have
>> been recently selected, new criteria, which are totally unrelated to the
>> original ones, were added.
>> The two new criteria are added as follows:
>> 1. Elegance of design
>> 2. Originality and innovation
>> I wondered who added these new criteria, which were never mentioned
>> before, without the request of any permission of changing it internally and
>> publicly.
>> Due to the above new criteria, some of the candidates were not selected.
>> Directly speaking, the new criteria were secretly created, which is against
>> the rule of competition, to kick out those candidates, which is unfair and
>> even a crime.
>> Another main issue of the PHC is that 9 candidates were chosen without
>> providing comparison results with proper metrics, which are against all
>> other competitions such as AES, SHA-3, Caesar Competitons, etc. The
>> competition should be scientifically based on proper metrics with clear
>> comparison (not based on voting out of favoritism), according to the
>> criteria which were given in the beginning.
>> Since I was one of internal evaluators of SHA-3 candidates as a guest
>> researcher of NIST for three years, it more seems to me that the procedure
>> of the PHC looks immature to me. Even the PHC panel's recent selecting
>> procedure undermines the dignity of the PHC, the PHC panel, submitters, and
>> even crypto community. Please think it seriously.
>> I hope that the PHC panel might accept and correct their mistake and make
>> every effort to restore our dignity including everyone participating in the
>> PHC.
>> - Donghoon Chang
>> 2015-02-11 16:37 GMT+05:30 Krisztián Pintér <>:
>>> On Tue, Feb 10, 2015 at 4:00 PM, Solar Designer <>
>>> wrote:
>>>> I think publishing the upvote and downvote counts
>>> counts? why not the votes themselves? why is it a secret? normally
>>> secret voting protects the voters from retaliation. i don't think it
>>> applies to that case. on the contrary, keeping the vote secret (as
>>> well as unexplained) casts the shadow of doubt on the rationality of
>>> it.
>>>> we used the voting as a tool to focus
>>>> further discussion rather than to definitively choose the finalists.
>>> i was under the impression that the voting was the selection method.
>>> if it wasn't, then it indeed does not matter much. what matters is the
>>> actual rationale, what the selection was based on.
>>>> I guess you'd prefer some scoring system?  It wouldn't work.  Opinions
>>>> varied on what properties would be best to have vs. to avoid, so we
>>>> couldn't possibly have arrived at a common scoring system.
>>> the very reason to have a detailed rationale is that people don't have
>>> to agree the result, they can rely on the facts. if the panel declares
>>> a winner using one set of preferences, but that does not coincide my
>>> own preferences, i can still use the results to find my own winner for
>>> my own situation.
>>>>> this discussion should also be summarized, anonimized, and made public.
>>>> That's significant effort that's unlikely to address your concerns.
>>> that is the only task the panel had. you are talking about skipping
>>> the only reason this competition exists. when you signed up to this,
>>> what is it exactly that you offered to do? also, how is it that it
>>> does not address my concerns? my concern is that the selection process
>>> is not transparent, and basically no information is published.
>>> publishing the actual decision process exactly solves that problem.

Powered by blists - more mailing lists