lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 20 Feb 2015 11:28:21 +1000
From: Rade Vuckovac <rade.vuckovac@...il.com>
To: discussions@...sword-hashing.net
Subject: Re: [PHC] PHC status report

Objective criticisms of the PHC



It is hard to have objective argumentation with just one liner only. But
below is a try.



Tony Arcieri wrote: “Schvrch: No PRFs applied to input, probably not
cryptographically secure”



1. As was mentioned before (here and the submission), there is a quite a
few analysis concerning Schvrch primitive. The summary can be seen here
*http://dakhilalian.iut.ac.ir/pdff/C26.pdf*
<http://dakhilalian.iut.ac.ir/pdff/C26.pdf>

The paper abstract:” MAG is a synchronous stream cipher designed by
Vuckovac submitted to the eSTREAM project. Vuckovac also proposed two
modified versions of MAG to avoid the distinguishing attack on the first
version of MAG presented by Fischer. In this paper we show that, changing
the Fischer’s attack we can apply it to one of the modified versions of
MAG. The modified attack requires only 514 successive bytes of known
keystream and 5 xor and 2 comparison operations between 16 bit words. In
addition, we show that distinguishing and key recovery attack proposed by
Simpson and Henricksen on all versions of MAG is feasible just by
considering an assumption on initialization of MAG that simplifies this
step so much. Therefore, their attack cannot be performed in general.”

The paper conclusion is that only one kind of attack is applicable (Fisher)
and that attack cannot be applied to some cases.

The above illustrates a couple of things. Even MAG did not made eSTREAM
round 2, attacks was communicated, some attacks did not applied to some
cases and even some attacks were proven wrong. And all of that is kind an
expected from scientific endeavour.

On the other hand it appears that one liner above ignored all prior
findings. It does not improve previous analysis or brings anything new,
disregarding apparent interest from some people (3 just from the abstract
above). It should be noted that it really does not matter if the one liner
statement is true or false, either way argumentation cannot be continued in
meaningful matter. Simply put, arguments are not present and that is
usually an attribute of authority.



2. Concerning validity/authority of the statement “No PRFs applied to
input, probably not cryptographically secure” implies that PRF application
to the input is essential step to make things secure. Example that
contradicts previous statement was provided here before and there is again:

“Let n be a 512 bit string (salt and password combo). Treat n as a positive
integer. Apply (3n+1)/2 if n is odd else do n/2. The result is new n.
Repeat step above 256 times to the every new n created to acquire a 256 bit
parity string (recording 1 when new n is odd and 0 when new n is even).
Discard first 128 bits and use the remaining 128 bits as the hash of n
(arguably the tiniest secure password hashing scheme around).”

No PRF above, actually the submission paper sugests that above scheme is
the random oracle (pseudo is omitted deliberately). It is crack-pot
statement but not challenged yet. Regardless, the 3n+1 problem is studied
more than all crypto competition with all entries put together and still it
appears that parity sequence behaves as the fair coin flipping sequence
(without help from external PRF).


All above may be used to argue that PHC threads authority instead
scientific path with rather dubious authority.

Regards, Rade

On Wed, Feb 18, 2015 at 1:32 PM, Tony Arcieri <bascule@...il.com> wrote:

> On Tue, Feb 17, 2015 at 1:03 AM, Jean-Philippe Aumasson <
> jeanphilippe.aumasson@...il.com> wrote:
>
>> please remain civil. Having a little discontent is ok, but being rude
>> and a jackass is not.
>
>
> I apologize, my comment was out-of-line.
>
> Krisztián, perhaps I can give some more constructive feedback. I think you
> are frustrated with a lack of transparency in the PHC process, and I agree
> that's a problem. There is much internal discussion about the process being
> more transparent.
>
> As I have read your remarks though, I feel they're more motivated by your
> emotions than by objective criticisms of the PHC. Perhaps you too can work
> towards more constructive criticisms of the PHC?
>
> --
> Tony Arcieri
>

Content of type "text/html" skipped

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ