Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 29 Dec 2013 12:38:01 -0800
From: Stephen Touset <>
Subject: Re: Password Scrambling

On Dec 24, 2013, at 2:52 AM, Christian Forler <> wrote:

> On 24.12.2013 01:49, Solar Designer wrote:
>> Christian (one or/and the other), all -
>> On Tue, Sep 03, 2013 at 08:00:58PM +0200, CodesInChaos wrote:
>>> On 9/2/2013 9:58 AM, Christian Forler wrote:
>>>> Nevertheless, we came up with Catena, a new memory-hard
>>>> password scrambler based on the bit reversal function. A detailed
>>>> description of our scheme is available on eprint
>>>> (
>>> Doesn't the standard "store every 1/sqrt(n)th value and recompute the rest
>>> using parallel cores" attack using a parallel computer break this?
>> What's the current understanding on this?  I think the attack does work
>> against Catena, although I only skimmed over the paper.  Does this mean
>> some of the proofs in the paper are flawed?
> Yes, the attack is working, but it does not invalidate any of our
> security proofs.

I believe this is because your security proofs only prove that Catena is a memory-hard algorithm and *not* a sequentially memory-had function. Your proof (at least as of the time I read it) involved a pebble game, but not with a ruleset extended to reflect multiple cores.


Stephen Touset

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.