Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 30 Dec 2013 03:08:13 +0100
From: CodesInChaos <>
Subject: Re: Password Scrambling

The attack as I originally envisioned it doesn't work. Value
recalculation produces a tree which can be recomputed on the fly, but
that needs n not sqrt(n) cores, making it useless. I'm leaning towards
considering catena secure, but will need to think more about it.

Some other notes:

* It's important to take amortization into account. An attacker who
computes multiple hashes in parallel (with same or different salt) can
drop the average cost for some schemes. I don't think catena is one of
them, but the security definition doesn't seem to consider this. A
pathological example would be sha2(scrypt(salt) | pass)

* Constants matter. Choose software efficient primitives. The catena
update scheme reduces performance and security as well. Perhaps one
should specify the levels to compute as a list of indices, so one can
skip some. Or hardcode a factor 4 instead of 2.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.