lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 17 Apr 2015 13:43:15 +0200
From: Sascha Schmidt <sascha.schmidt@...-weimar.de>
To: discussions@...sword-hashing.net
Subject: Re: [PHC] "Attack on the iterative compression function"

2015-04-15 0:29 GMT+02:00 Solar Designer <solar@...nwall.com>:
> Of PHC finalists, this might be relevant to battcrypt, Catena, Lyra2,
> yescrypt.  (And to original Argon?  But I hope we'll accept Argon2, and
> won't need to consider the original Argon anymore.)
If I understand this attack correctly, it relies on the compression
function not providing enough diffusion.
The best differential probabilities I could find are over 3.5 rounds
of Blake2b or 4.5 rounds of just the compression function[1]. [2]
limits a rotational distinguisher to 7 rounds. This hints that Blake2b
reaches a high diffusion after just a few rounds. From my
understanding, this would make this attack unfeasible.

Catena's reduced Blake2b tries to be as close to the actual Blake2b as
possible. The diffusion should be similar to the original. At least I
can't find anything that would affect it.

I haven't looked at Rig or Lyra2 in depth, but both of them seem to
omit the message schedule and the state. It's beyond my capabilities
to judge if this influences the diffusion significantly.

[1]https://eprint.iacr.org/2013/467.pdf
[2]https://eprint.iacr.org/2015/095.pdf

Sincerely
Sascha Schmidt

Powered by blists - more mailing lists