lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 19 Apr 2015 06:36:42 +0300
From: Solar Designer <solar@...nwall.com>
To: discussions@...sword-hashing.net
Subject: Re: [PHC] "Attack on the iterative compression function"

On Fri, Apr 17, 2015 at 01:43:15PM +0200, Sascha Schmidt wrote:
> If I understand this attack correctly, it relies on the compression
> function not providing enough diffusion.

Yes, but referring to entire blocks of the memory-hard algorithm.

> The best differential probabilities I could find are over 3.5 rounds
> of Blake2b or 4.5 rounds of just the compression function[1]. [2]
> limits a rotational distinguisher to 7 rounds. This hints that Blake2b
> reaches a high diffusion after just a few rounds. From my
> understanding, this would make this attack unfeasible.
> 
> Catena's reduced Blake2b tries to be as close to the actual Blake2b as
> possible. The diffusion should be similar to the original. At least I
> can't find anything that would affect it.

Doesn't Catena use blocks much larger than a single BLAKE2b output?

> I haven't looked at Rig or Lyra2 in depth, but both of them seem to
> omit the message schedule and the state. It's beyond my capabilities
> to judge if this influences the diffusion significantly.

You're looking at the wrong layer.

Alexander

Powered by blists - more mailing lists