lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 13 Apr 2015 17:17:51 -0700
From: Andy Lutomirski <>
To: discussions <>
Subject: Re: [PHC] Information theoretic security for delegated hardening was:
 winner selection

On Mon, Apr 13, 2015 at 12:28 PM, Gregory Maxwell <> wrote:
> On Mon, Apr 13, 2015 at 3:52 PM, Alexandre Anzala-Yamajako
> <> wrote:
>> The topic is not specifically about Makwa but I'm not sure that I
>> understand Gregory's argument.
>> To me it doesn't make sense to have only one of the crypto primivites
>> of your system information theoritically secure.
>> Everything else in Bitcoin relies on computational hardness
>> assumptions does it not ?
> Sorry for the tangent.  Let me give an example with computational hardness.
> The application here is that there is some weak user passphrase, P.
> There is a low power (think 8bit miccontroller) device that cannot
> compute a good strengthening function to raise P to adequate security.
> Instead they compute H(P) and send it to some untrusted device which
> computes KDF(H(P))  and the device ultimately computes a key a
> H(KDF(H(P)) || |P) or the like.
> [Obviously things like salts and such simplified out]
> The 'untrusted device' however, is able to perform dictionary attacks
> against H(P); which is cheap because the device is limited.
> Computational hardness at the 2^48 (user entropy) level is very
> different than level the computational hardness of the rest of the
> system..
> So the untrusted device really can't be that untrusted, which is unfortunate.
> Using the group of unknown order blind squaring puzzle  we can redo
> the above as   BLIND(H(P),random);  then delegate to an untrusted
> party which learns nothing (the received number is uniform); and they
> can perform an expensive KDF and then the end device can unblind.
> Since the device doing the hardening learns _nothing_ your use of it
> can not reduce your security.
> Since there is a straightforward way to achieve this (simpler than
> Makwa; based on the same hardness assumption), I can't see us
> bothering with anything less than information theoretic security if we
> cared about delegation to untrusted parties. If we don't care much
> above we can use the first protocol I gave with any PHC candidate as
> KDF.

Can you elaborate on this straightforward way?


Powered by blists - more mailing lists