lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 17 Apr 2015 13:43:15 +0200 From: Sascha Schmidt <sascha.schmidt@...-weimar.de> To: discussions@...sword-hashing.net Subject: Re: [PHC] "Attack on the iterative compression function" 2015-04-15 0:29 GMT+02:00 Solar Designer <solar@...nwall.com>: > Of PHC finalists, this might be relevant to battcrypt, Catena, Lyra2, > yescrypt. (And to original Argon? But I hope we'll accept Argon2, and > won't need to consider the original Argon anymore.) If I understand this attack correctly, it relies on the compression function not providing enough diffusion. The best differential probabilities I could find are over 3.5 rounds of Blake2b or 4.5 rounds of just the compression function[1]. [2] limits a rotational distinguisher to 7 rounds. This hints that Blake2b reaches a high diffusion after just a few rounds. From my understanding, this would make this attack unfeasible. Catena's reduced Blake2b tries to be as close to the actual Blake2b as possible. The diffusion should be similar to the original. At least I can't find anything that would affect it. I haven't looked at Rig or Lyra2 in depth, but both of them seem to omit the message schedule and the state. It's beyond my capabilities to judge if this influences the diffusion significantly. [1]https://eprint.iacr.org/2013/467.pdf [2]https://eprint.iacr.org/2015/095.pdf Sincerely Sascha Schmidt
Powered by blists - more mailing lists