[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAK9dnSzmkqNtsfONxKHPE-CmTzS8ofnOznTJOHaPp=tuEF==bQ@mail.gmail.com>
Date: Mon, 30 Dec 2013 03:08:13 +0100
From: CodesInChaos <codesinchaos@...il.com>
To: crypt-dev@...ts.openwall.com
Subject: Re: Password Scrambling
The attack as I originally envisioned it doesn't work. Value
recalculation produces a tree which can be recomputed on the fly, but
that needs n not sqrt(n) cores, making it useless. I'm leaning towards
considering catena secure, but will need to think more about it.
Some other notes:
* It's important to take amortization into account. An attacker who
computes multiple hashes in parallel (with same or different salt) can
drop the average cost for some schemes. I don't think catena is one of
them, but the security definition doesn't seem to consider this. A
pathological example would be sha2(scrypt(salt) | pass)
* Constants matter. Choose software efficient primitives. The catena
update scheme reduces performance and security as well. Perhaps one
should specify the levels to compute as a list of indices, so one can
skip some. Or hardcode a factor 4 instead of 2.
Powered by blists - more mailing lists
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
