lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 13 Jul 2015 14:49:08 -0700
From: Bill Cox <>
To: "" <>
Subject: Re: [PHC] Bandwidth hardened algorithms?

On Mon, Jul 13, 2015 at 2:39 PM, Bill Cox <> wrote:

> As a side note, I find strange that you still consider Momentum.
>> Memoryless collision search is so well known and explored, that this scheme
>> is barely better than plain SHA-256.
>> Best regards,
>> Dmitry
> The parallel Pollard Rho algorithm would make short-work of Momentum,
> except that when they actually implemented it, they changed it slightly
> from the description in the paper.

BTW, this is a great example of why I prefer to read the source code rather
than the papers that describe the algorithm.  Papers have errors, get out
of date, and skip critical details.  The code is where we actually prove an
algorithm works.  Momentum is a good example.  After reading just the
paper, and being informed about the parallel Pollard Rho algorithm, I was
also confused why Momentum was still being considered for PoW.

Details, like having a 26 bit input vs 50 bit output are not documented in
any paper, AFAIK.  They also generate 8 26-bit hashes per SHA-512 hash - a
critical speed feature not mentioned anywhere that I could find.
Fortunately, Momentum's implementation is tiny, and easy to read, even if
it does look rather slow.


Content of type "text/html" skipped

Powered by blists - more mailing lists