lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 17 Apr 2015 06:39:12 -0700
From: Bill Cox <>
To: "" <>
Subject: Re: [PHC] Information theoretic security for delegated hardening was:
 winner selection

On Mon, Apr 13, 2015 at 5:17 PM, Andy Lutomirski <>

> Can you elaborate on this straightforward way?
> Thanks,
> Andy

I found this:

The scheme seems similar to Makwa, but simpler.  Here's the math from that

public params:

n=pq (primes p & q deleted at setup)
g=shared generator
e=2^(2^w)-1 ie a big, big number w is work factor
    (Bill: why subtract 1?)
y=g^e mod n (generated cheaply at setup, or computable one-off cost


b=random blinding factor
r=g^b*m (broacast r to miners)
    (Bill: this is mod n, right?  Also, that's (g^b)*m, not g^(b*m))


s=r^e mod n (expensive because e is big and carm(n)=(p-1)(q-1)/2 is unknown)


u=y^b (unblinding factor)
    (Bill: again mod n, right?)
m^e = s/u (as s/y^b=r^e/g^{be}=g^{be}*m^e/g^{be})
    (Bill: by /u, I assume we find g-inverse, and compute y differently)

This is simpler than Makwa, but I haven't put any thought into attacking
it.  Thomas Porin, what do you think of this again?


Content of type "text/html" skipped

Powered by blists - more mailing lists