lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 10 Jul 2015 02:22:32 +0800
From: Hongjun Wu <>
Subject: Re: [PHC] Overview of PHC Candidates and Garbage-Collector Attacks

Hi Jocob,

Thanks for the report.

1.   To be precise, the state of POMELO (of the second round) is updated
 3*2^{t_cost}+2 times on average  (some details: a state is updated through
feedback; local table lookup; global table lookup).

      For example, for t_cost = 0, the state is updated 5 times on average;
for t_cost = 1, the state is updated 8 times on average; for t_cost = 2,
the state is updated 14 times on average.

2.  Assume that the memory usage data in Table 1 is accurate, it is a
surprise that only two (?) finalists provide memory usage in a wide range
(Battcrypt: 128KB to 128M;   POMELO: 8 KB to 256GB).  Argon is another
candidate that provides memory in a wide range (1KB to 1GB), but Argon2
does not have that feature.

3.  Since the report talks about the security of each candidate in Table 3,
I add something on POMELO below.

     As analyzed in the POMELO document, even for t_cost = 0, POMELO
provides strong protection against the low memory attack since it is costly
to store partial state in the attack due to the combination of local table
lookup and global table lookup.  The protection mechanism of POMELO against
low memory attack is completely different from all the other candidates,
and I think that POMELO provides a very efficient approach to defend
against low memory attack.

Best Regards,

On Thu, Jul 2, 2015 at 11:05 PM, Jakob Wenzel <>

> Hash: SHA256
> Hi all,
> we have updated the classification document (including analysis
> regarding to (weak) garbage-collector attacks -- (W)GCA).
> See:
> Among other minor changes, the update includes:
> 1) Argon2d and Argon2i (as two instantiations of the finalist Argon2)
> 2) yescrypt now provides (W)GCA resistance under certain requirements
>    depending on the input parameter
> 3) tables now differentiate between finalist/non-finalists
> 4) added motivation for (W)GCA attacks in the introduction
> 5) BLAKE2b-1 is added as hash function for Catena
> 6) BlaMka is added as permutation for Lyra2 (in brackets, since it is
>    not fully analyzed yet and thus, not recommended as default
>    instantiation by the authors of Lyra2)
> Comments are welcome.
> Best regards,
> Jakob
> - --
> Jakob Wenzel
> Research Assistant
> Chair of Media Security (Prof. Lucks)
> Bauhausstra├če 11 (Room 217)
> 99423 Weimar
> Version: GnuPG v2
> /npOODTTYkxWXjxaQXEkHyKuX/Xm0l77/fpHtndx7KtKIQ0s+gKY/0Bu63xxYXXb
> k/2Oit4t6LFvQIdUILIkbcnqPmZTZtvbu5VfPCx7e2bSWJjFOjc1NRd24RkhfUn7
> cgK24yxK5fkJwVu6lSJ3sbYA3xb1xYY0/67gEPmA8Jt50sKKqCs8zE+GSjz9Vwdf
> HYpU8veYEFaXKsryeqeJrcD67KgRAEZ0k+9BRUjB27dd80NlDi4OO5wSyn+7Fw0r
> Ix2YUcd4JzYnjdnO2B8RLalLgVQSGiYMqgie49dKnIpG37kiednagzyEG5SHOwE=
> =6pgK

Content of type "text/html" skipped

Powered by blists - more mailing lists