lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 14 Jul 2015 14:09:33 +0200
From: Jakob Wenzel <jakob.wenzel@...-weimar.de>
To: discussions@...sword-hashing.net
Subject: Re: [PHC] Overview of PHC Candidates and Garbage-Collector Attacks

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 09.07.2015 20:22, Hongjun Wu wrote:
> Hi Jocob,
> 
> Thanks for the report.
> 
> 1.   To be precise, the state of POMELO (of the second round) is
> updated 3*2^{t_cost}+2 times on average  (some details: a state is
> updated through feedback; local table lookup; global table lookup).
> 
> 

Hi Hongjun,

Thank you for your comments! I changed the number of updates from
2^{2*t_cost}+2 to 3*2^{t_cost}+2.

> 2.  Assume that the memory usage data in Table 1 is accurate, it is
> a surprise that only two (?) finalists provide memory usage in a
> wide range (Battcrypt: 128KB to 128M;   POMELO: 8 KB to 256GB).
> Argon is another candidate that provides memory in a wide range
> (1KB to 1GB), but Argon2 does not have that feature.

The table is generated from the parameter recommendations taken from
the specifications. I don't think that only battcrypt and POMELO
provide a wide range of memory usage, but that most recommendations
where done for the case of maximum memory usage by still providing an
acceptable login time for the user.

Considering Catena-BRG, we recommended 128 MB memory usage which runs
in about 0.51 seconds. But, you can also invoke Catena-BRG with only
128KB of memory then running in about 0.02 seconds (for lambda = 255).

Best regards,
Jakob


> 3.  Since the report talks about the security of each candidate in
> Table I add something on POMELO below.
> 
> As analyzed in the POMELO document, even for t_cost = 0, POMELO 
> provides strong protection against the low memory attack since it
> is costly to store partial state in the attack due to the
> combination of local table lookup and global table lookup.  The
> protection mechanism of POMELO against low memory attack is
> completely different from all the other candidates, and I think
> that POMELO provides a very efficient approach to defend against
> low memory attack.
> 
> Best Regards, Hongjun
> 
> On Thu, Jul 2, 2015 at 11:05 PM, Jakob Wenzel 
> <jakob.wenzel@...-weimar.de <mailto:jakob.wenzel@...-weimar.de>>
> wrote:
> 
> Hi all,
> 
> we have updated the classification document (including analysis 
> regarding to (weak) garbage-collector attacks -- (W)GCA).
> 
> See: https://eprint.iacr.org/2014/881
> 
> Among other minor changes, the update includes: 1) Argon2d and
> Argon2i (as two instantiations of the finalist Argon2) 2) yescrypt
> now provides (W)GCA resistance under certain requirements depending
> on the input parameter 3) tables now differentiate between
> finalist/non-finalists 4) added motivation for (W)GCA attacks in
> the introduction 5) BLAKE2b-1 is added as hash function for Catena 
> 6) BlaMka is added as permutation for Lyra2 (in brackets, since it
> is not fully analyzed yet and thus, not recommended as default 
> instantiation by the authors of Lyra2)
> 
> Comments are welcome.
> 
> Best regards, Jakob
> 
> 
> 

- -- 
Jakob Wenzel
Research Assistant
Chair of Media Security (Prof. Lucks)
Bauhausstra├če 11 (Room 217)
99423 Weimar
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJVpPv9AAoJEDFlRQsgEDnDeIwH/1AN3K8YoZm6utshpZNvjnpt
4ZsDpchHcq2lP5l13ey3eONg7cQGAqHsLqWazUYO8z7uQV1YXn50NVYhqO12pXan
8l+NYYcJURHP8EUHarIfzbwpTjL7MRFygAauulBxnqgucws1uKeJ6tV9FURdexsv
e5lfYHf94tzZDn2Ts/XIAdFttjcNOhk5Su4wxEgyJD8H3mTod8XzoK5zM0H1/7es
xn4XF0KgWPcW5CUxdNSbNspKqLXDWt2LQG3TmIdKRiovx1HfXGYzb5dBMYZjPbGB
Kuqu5t2i1iBr33yb1I76Lc9P6uN95qmYPzRCE/+G5U13mzcU9NvhvhRkNjLnnLI=
=lL5c
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists