[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20150506075420.GA30917@openwall.com>
Date: Wed, 6 May 2015 10:54:20 +0300
From: Solar Designer <solar@...nwall.com>
To: discussions@...sword-hashing.net
Subject: Re: [PHC] "Attack on the iterative compression function"
On Sun, Apr 19, 2015 at 06:36:42AM +0300, Solar Designer wrote:
> On Fri, Apr 17, 2015 at 01:43:15PM +0200, Sascha Schmidt wrote:
> > If I understand this attack correctly, it relies on the compression
> > function not providing enough diffusion.
>
> Yes, but referring to entire blocks of the memory-hard algorithm.
>
> > The best differential probabilities I could find are over 3.5 rounds
> > of Blake2b or 4.5 rounds of just the compression function[1]. [2]
> > limits a rotational distinguisher to 7 rounds. This hints that Blake2b
> > reaches a high diffusion after just a few rounds. From my
> > understanding, this would make this attack unfeasible.
> >
> > Catena's reduced Blake2b tries to be as close to the actual Blake2b as
> > possible. The diffusion should be similar to the original. At least I
> > can't find anything that would affect it.
>
> Doesn't Catena use blocks much larger than a single BLAKE2b output?
I just took a closer look, and it appears that my assumption was wrong.
Catena works directly with BLAKE2b outputs, without any "sub-blocks".
So it appears immune to the attack discussed in this thread.
Alexander
Powered by blists - more mailing lists