| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <alpine.DEB.2.11.1505041357100.939@debian> Date: Mon, 4 May 2015 14:03:31 +0200 (CEST) From: Stefan.Lucks@...-weimar.de To: "discussions@...sword-hashing.net" <discussions@...sword-hashing.net> Subject: Re: [PHC] Maximising Pseudo-Entropy versus resistance to Side-Channel Attacks On Thu, 30 Apr 2015, Bill Cox wrote: > On Thu, Apr 30, 2015 at 5:43 AM, <Stefan.Lucks@...-weimar.de> wrote: > As an example, let the password hashing function H1 be ten times faster than H2, i.e., if Mallory's costs for H1 are be ten times > higher than his costs for H2 (for the same budget on the defender's side). Ten times faster sounds like a big deal, doesn't it? > > > Mallory's cost will be 100X higher in this case. Memory*time defense goes as the square of the runtime. So, that's 6.64 additional bits of > strength, not 3.32. No! Say H2 runs in 1 second allocating 10 MB, while H2, allocating the same 10 MB is ten times faster 0.1 second. If the defender is willing to wait 1 second, for either H1 or H2, H1 could then allocate 100 MB. cost for H1: 100 sMB (seconds * Megabyte) cost for H2: 10 sMb (sconds * Megabyte) So the pseudo-entropy for H1 is 3.32 bit larger than the pseudo-entropy for H2, not 6.64. Stefan ------ I love the taste of Cryptanalysis in the morning! ------ uni-weimar.de/de/medien/professuren/mediensicherheit/people/stefan-lucks --Stefan.Lucks (at) uni-weimar.de, Bauhaus-Universität Weimar, Germany--
Powered by blists - more mailing lists