Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 29 Dec 2013 12:38:01 -0800
From: Stephen Touset <stephen@...set.org>
To: crypt-dev@...ts.openwall.com
Subject: Re: Password Scrambling


On Dec 24, 2013, at 2:52 AM, Christian Forler <christian.forler@...-weimar.de> wrote:

> On 24.12.2013 01:49, Solar Designer wrote:
>> Christian (one or/and the other), all -
>> 
>> On Tue, Sep 03, 2013 at 08:00:58PM +0200, CodesInChaos wrote:
>>> On 9/2/2013 9:58 AM, Christian Forler wrote:
>>>> Nevertheless, we came up with Catena, a new memory-hard
>>>> password scrambler based on the bit reversal function. A detailed
>>>> description of our scheme is available on eprint
>>>> (http://eprint.iacr.org/2013/525).
>>> 
>>> Doesn't the standard "store every 1/sqrt(n)th value and recompute the rest
>>> using parallel cores" attack using a parallel computer break this?
> 
>> What's the current understanding on this?  I think the attack does work
>> against Catena, although I only skimmed over the paper.  Does this mean
>> some of the proofs in the paper are flawed?
> 
> Yes, the attack is working, but it does not invalidate any of our
> security proofs.

I believe this is because your security proofs only prove that Catena is a memory-hard algorithm and *not* a sequentially memory-had function. Your proof (at least as of the time I read it) involved a pebble game, but not with a ruleset extended to reflect multiple cores.

Correct?

— 
Stephen Touset
stephen@...set.org

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ