lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20150417224037.GA28900@openwall.com>
Date: Sat, 18 Apr 2015 01:40:37 +0300
From: Solar Designer <solar@...nwall.com>
To: discussions@...sword-hashing.net
Subject: Re: [PHC] "Attack on the iterative compression function"

Dmitry,

On Fri, Apr 17, 2015 at 10:16:05PM +0300, Solar Designer wrote:
> I think it would help this community if you try applying your attack to
> scrypt proper.  Initially for storage of just the last sub-blocks (in
> addition to some full blocks), and then (after publishing your initial
> results) also for storage of arbitrary sub-blocks.  Try to identify
> which ones and how many are optimal to store.  Perhaps the "how many"
> will vary depending on the higher-level TMTO factor that you apply, so
> perhaps the SMix-level and BlockMix-level TMTO factors would need to be
> optimized together.
> 
> The scrypt paper is very careful when it talks about a "constant factor"
> without specifying any upper bound on it, so it won't exactly be a break
> of scrypt if you show that this constant factor is higher than is
> possible with an SMix-level attack alone.  But it will be a significant
> new result.

Actually, if you show that the reduction of memory-time product for
scrypt is a function of r and has no constant upper bound, then this may
be a (theoretical) break of scrypt.  You could start by considering
extreme cases such as N=2 and high r, then N=4 and high r, and then
generalize this to any N and r, and see what happens for sane r.

I expect that scrypt at high r might in fact be broken in this sense.

Alexander

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ