lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 6 May 2015 10:54:20 +0300
From: Solar Designer <>
Subject: Re: [PHC] "Attack on the iterative compression function"

On Sun, Apr 19, 2015 at 06:36:42AM +0300, Solar Designer wrote:
> On Fri, Apr 17, 2015 at 01:43:15PM +0200, Sascha Schmidt wrote:
> > If I understand this attack correctly, it relies on the compression
> > function not providing enough diffusion.
> Yes, but referring to entire blocks of the memory-hard algorithm.
> > The best differential probabilities I could find are over 3.5 rounds
> > of Blake2b or 4.5 rounds of just the compression function[1]. [2]
> > limits a rotational distinguisher to 7 rounds. This hints that Blake2b
> > reaches a high diffusion after just a few rounds. From my
> > understanding, this would make this attack unfeasible.
> > 
> > Catena's reduced Blake2b tries to be as close to the actual Blake2b as
> > possible. The diffusion should be similar to the original. At least I
> > can't find anything that would affect it.
> Doesn't Catena use blocks much larger than a single BLAKE2b output?

I just took a closer look, and it appears that my assumption was wrong.
Catena works directly with BLAKE2b outputs, without any "sub-blocks".
So it appears immune to the attack discussed in this thread.


Powered by blists - more mailing lists