lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <alpine.DEB.2.11.1502152105560.29780@debian>
Date: Sun, 15 Feb 2015 21:34:58 +0100 (CET)
From: Stefan.Lucks@...-weimar.de
To: discussions@...sword-hashing.net
Subject: Re: [PHC] PHC status report

On Sat, 14 Feb 2015, D. J. Bernstein wrote:

> NIST required a "recommended" set of parameters. I recommended a set of
> parameters that heavily prioritized conservativism over speed [...]

With *your* *recommended* sets of parameters, CubeHash was absurdly slow.

I understand, what the NIST saw in CubeHash, and I actually agree with 
the decision to keep CubeHash in the secon round of SHA-3. CubeHash was a 
cool design!

BTW, it is a pity that you preferred a formal version (meeting the tweaked 
security requirements, but absurdly slow) and a recommended version (fast 
enough, but badly failing even the tweaked security requirements), rather 
than submitting a proper tweak that did address the concerns raised by the 
NIST in the first-round report.

> [...] If you're going to accuse NIST of ignoring its own rules then you 
> should focus on the rules that they actually published, not the rules 
> that you wish they had published instead.

The initial rules required approximately 2^512. Later, the rule was 
tweaked to accept 2^480 or more as an approximation for 2^512.

I am sure you can find plenty of lawyers who will credibly argue that 
2^480 is a reasonable approximation of 2^512. But good luck with finding 
plenty of scientists who agree with calling that an "approximation". ;-)

In any case, the story of CubeHash is off-topic for this list, so I won't 
discuss it any more, here. I am willing to discuss my ideas for a CubeHash 
tweak with you, the next time we meet in person. ;-)

So long

Stefan



------  I  love  the  taste  of  Cryptanalysis  in  the morning!  ------
uni-weimar.de/de/medien/professuren/mediensicherheit/people/stefan-lucks
--Stefan.Lucks (at) uni-weimar.de, Bauhaus-Universität Weimar, Germany--

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ