| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <782976686.20150422000754@gmail.com> Date: Wed, 22 Apr 2015 00:07:54 +0200 From: Krisztián Pintér <pinterkr@...il.com> To: discussions@...sword-hashing.net Subject: Re: [PHC] Argon2 modulo division Marcos Antonio Simplicio Junior (at Tuesday, April 21, 2015, 11:36:07 PM): > - If the memory accesses are all password-dependent, then it is > easier to discard guesses even before the memory is filled. > - If the memory accesses are all password-independent, then it is > easier to eliminate memory latencies from the attack costs even with > cheap memory (just prefetch what you need soon before you use it). there is a very siginificant difference between leaking a secret and allowing for some performance optimizations. the former is a break, the latter is just reducing the security margin by some. if we don't have the proper security margin, having an extra 50% cost won't change much. actually even doubling the cost is equivalent of only 1 bit password strength. you maybe educating the user to have one more character in the password does more for us than a tight cost requirement. also we need to bear in mind that defender can optimize as well, especially in case of simple access patterns. a simple pre-reading of the values in time will give you that, with some added complexity. i was actually thinking about doing that, but discarded the idea for simplicity.
Powered by blists - more mailing lists