Date: Sun, 29 Dec 2013 12:38:01 -0800 From: Stephen Touset <stephen@...set.org> To: crypt-dev@...ts.openwall.com Subject: Re: Password Scrambling On Dec 24, 2013, at 2:52 AM, Christian Forler <christian.forler@...-weimar.de> wrote: > On 24.12.2013 01:49, Solar Designer wrote: >> Christian (one or/and the other), all - >> >> On Tue, Sep 03, 2013 at 08:00:58PM +0200, CodesInChaos wrote: >>> On 9/2/2013 9:58 AM, Christian Forler wrote: >>>> Nevertheless, we came up with Catena, a new memory-hard >>>> password scrambler based on the bit reversal function. A detailed >>>> description of our scheme is available on eprint >>>> (http://eprint.iacr.org/2013/525). >>> >>> Doesn't the standard "store every 1/sqrt(n)th value and recompute the rest >>> using parallel cores" attack using a parallel computer break this? > >> What's the current understanding on this? I think the attack does work >> against Catena, although I only skimmed over the paper. Does this mean >> some of the proofs in the paper are flawed? > > Yes, the attack is working, but it does not invalidate any of our > security proofs. I believe this is because your security proofs only prove that Catena is a memory-hard algorithm and *not* a sequentially memory-had function. Your proof (at least as of the time I read it) involved a pebble game, but not with a ruleset extended to reflect multiple cores. Correct? — Stephen Touset stephen@...set.org
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.