lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 14 Jul 2015 14:09:33 +0200
From: Jakob Wenzel <>
Subject: Re: [PHC] Overview of PHC Candidates and Garbage-Collector Attacks

Hash: SHA256

On 09.07.2015 20:22, Hongjun Wu wrote:
> Hi Jocob,
> Thanks for the report.
> 1.   To be precise, the state of POMELO (of the second round) is
> updated 3*2^{t_cost}+2 times on average  (some details: a state is
> updated through feedback; local table lookup; global table lookup).

Hi Hongjun,

Thank you for your comments! I changed the number of updates from
2^{2*t_cost}+2 to 3*2^{t_cost}+2.

> 2.  Assume that the memory usage data in Table 1 is accurate, it is
> a surprise that only two (?) finalists provide memory usage in a
> wide range (Battcrypt: 128KB to 128M;   POMELO: 8 KB to 256GB).
> Argon is another candidate that provides memory in a wide range
> (1KB to 1GB), but Argon2 does not have that feature.

The table is generated from the parameter recommendations taken from
the specifications. I don't think that only battcrypt and POMELO
provide a wide range of memory usage, but that most recommendations
where done for the case of maximum memory usage by still providing an
acceptable login time for the user.

Considering Catena-BRG, we recommended 128 MB memory usage which runs
in about 0.51 seconds. But, you can also invoke Catena-BRG with only
128KB of memory then running in about 0.02 seconds (for lambda = 255).

Best regards,

> 3.  Since the report talks about the security of each candidate in
> Table I add something on POMELO below.
> As analyzed in the POMELO document, even for t_cost = 0, POMELO 
> provides strong protection against the low memory attack since it
> is costly to store partial state in the attack due to the
> combination of local table lookup and global table lookup.  The
> protection mechanism of POMELO against low memory attack is
> completely different from all the other candidates, and I think
> that POMELO provides a very efficient approach to defend against
> low memory attack.
> Best Regards, Hongjun
> On Thu, Jul 2, 2015 at 11:05 PM, Jakob Wenzel 
> < <>>
> wrote:
> Hi all,
> we have updated the classification document (including analysis 
> regarding to (weak) garbage-collector attacks -- (W)GCA).
> See:
> Among other minor changes, the update includes: 1) Argon2d and
> Argon2i (as two instantiations of the finalist Argon2) 2) yescrypt
> now provides (W)GCA resistance under certain requirements depending
> on the input parameter 3) tables now differentiate between
> finalist/non-finalists 4) added motivation for (W)GCA attacks in
> the introduction 5) BLAKE2b-1 is added as hash function for Catena 
> 6) BlaMka is added as permutation for Lyra2 (in brackets, since it
> is not fully analyzed yet and thus, not recommended as default 
> instantiation by the authors of Lyra2)
> Comments are welcome.
> Best regards, Jakob

- -- 
Jakob Wenzel
Research Assistant
Chair of Media Security (Prof. Lucks)
Bauhausstra├če 11 (Room 217)
99423 Weimar
Version: GnuPG v2


Powered by blists - more mailing lists