| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 6 May 2015 10:54:20 +0300 From: Solar Designer <solar@...nwall.com> To: discussions@...sword-hashing.net Subject: Re: [PHC] "Attack on the iterative compression function" On Sun, Apr 19, 2015 at 06:36:42AM +0300, Solar Designer wrote: > On Fri, Apr 17, 2015 at 01:43:15PM +0200, Sascha Schmidt wrote: > > If I understand this attack correctly, it relies on the compression > > function not providing enough diffusion. > > Yes, but referring to entire blocks of the memory-hard algorithm. > > > The best differential probabilities I could find are over 3.5 rounds > > of Blake2b or 4.5 rounds of just the compression function[1]. [2] > > limits a rotational distinguisher to 7 rounds. This hints that Blake2b > > reaches a high diffusion after just a few rounds. From my > > understanding, this would make this attack unfeasible. > > > > Catena's reduced Blake2b tries to be as close to the actual Blake2b as > > possible. The diffusion should be similar to the original. At least I > > can't find anything that would affect it. > > Doesn't Catena use blocks much larger than a single BLAKE2b output? I just took a closer look, and it appears that my assumption was wrong. Catena works directly with BLAKE2b outputs, without any "sub-blocks". So it appears immune to the attack discussed in this thread. Alexander
Powered by blists - more mailing lists