Date: Mon, 30 Dec 2013 03:08:13 +0100 From: CodesInChaos <codesinchaos@...il.com> To: crypt-dev@...ts.openwall.com Subject: Re: Password Scrambling The attack as I originally envisioned it doesn't work. Value recalculation produces a tree which can be recomputed on the fly, but that needs n not sqrt(n) cores, making it useless. I'm leaning towards considering catena secure, but will need to think more about it. Some other notes: * It's important to take amortization into account. An attacker who computes multiple hashes in parallel (with same or different salt) can drop the average cost for some schemes. I don't think catena is one of them, but the security definition doesn't seem to consider this. A pathological example would be sha2(scrypt(salt) | pass) * Constants matter. Choose software efficient primitives. The catena update scheme reduces performance and security as well. Perhaps one should specify the levels to compute as a list of indices, so one can skip some. Or hardcode a factor 4 instead of 2.
Powered by blists - more mailing lists
Powered by Openwall GNU/*/Linux - Powered by OpenVZ