lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 14 Apr 2015 16:44:51 +0300
From: Solar Designer <>
Subject: Re: [PHC] Bug in yescrypt pwxform specification pseudocode

Hi Ken,

On Tue, Apr 14, 2015 at 03:09:01AM -0400, Ken T Takusagawa wrote:
> The loop indices in pwxform run from 0 to "X"-1 in the 
> reference implementation 
> yescrypt-v1/yescrypt/yescrypt-0.7.1/yescrypt-ref.c :
> for (i = 0; i < PWXrounds; i++) {
>  for (j = 0; j < PWXgather; j++) {
>   for (k = 0; k < PWXsimple; k++) {
> But run from 0 to "X" in the specification document 
> yescrypt-v1/yescrypt/yescrypt-phc.rst :
> 1:   for :latex:`$ i = 0 $` to :latex:`$ PWXrounds $` do
> 2:     for :latex:`$ j = 0 $` to :latex:`$ PWXgather $` do
> 5:       for :latex:`$ k = 0 $` to :latex:`$ PWXsimple $` do
> (Other "for" loops in the specification document explicitly 
> specify "X"-1.)

You're correct.  Thank you!

As to fixing this, maybe the rounds loop should go from 1 to PWXrounds
in the spec, whereas implementations may also make it from 0 to
PWXrounds-1 (or even use a "do ... while (--count)" loop, or an unrolled
loop).  For the gather and simple loops, they should in fact be
zero-based, as the spec uses zero-based indices here and elsewhere, so
the upper bounds in the loops in the specs need to be "X"-1 as you say.

I'll plan to include a fix for this in the next update of the spec.
The code is correct as-is, so there won't be a change to that (nor to
the test vectors, obviously).


Powered by blists - more mailing lists