lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 5 Jul 2015 22:57:53 +0300
From: Solar Designer <>
Subject: Re: [PHC] Overview of PHC Candidates and Garbage-Collector Attacks

Hi Jakob,

On Thu, Jul 02, 2015 at 05:05:50PM +0200, Jakob Wenzel wrote:
> we have updated the classification document (including analysis
> regarding to (weak) garbage-collector attacks -- (W)GCA).
> See:
> Among other minor changes, the update includes:
> 1) Argon2d and Argon2i (as two instantiations of the finalist Argon2)
> 2) yescrypt now provides (W)GCA resistance under certain requirements
>    depending on the input parameter

It is unclear from your description whether you think yescrypt provides
GC resistance at t > 0 and/or g > 0, and why.  Can you clarify?  You
first list t = 0 among requirements for yescrypt's GC resistance, and
then describe how things change at t > 0 and/or g > 0, but you seem to
never clearly state whether it's GC attack resistant at those settings.
(And there's a missing closing brace, but this doesn't affect meaning.)

On a related note, the tweaked yescrypt defines client-independent
updates, so you may check this in Table 2.

> 3) tables now differentiate between finalist/non-finalists
> 4) added motivation for (W)GCA attacks in the introduction
> 5) BLAKE2b-1 is added as hash function for Catena
> 6) BlaMka is added as permutation for Lyra2 (in brackets, since it is
>    not fully analyzed yet and thus, not recommended as default
>    instantiation by the authors of Lyra2)



Powered by blists - more mailing lists