IETF Logo Mail Archive

Re: [saag] AD sponsoring draft-josefsson-scrypt-kdf

Simon Josefsson <simon@josefsson.org> Thu, 13 August 2015 14:24 UTC

Return-Path: <simon@josefsson.org>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1B92E1B2DCC for <saag@ietfa.amsl.com>; Thu, 13 Aug 2015 07:24:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.551
X-Spam-Level:
X-Spam-Status: No, score=-1.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_SE=0.35, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 27EKWfxMEBlN for <saag@ietfa.amsl.com>; Thu, 13 Aug 2015 07:24:40 -0700 (PDT)
Received: from duva.sjd.se (duva.sjd.se [IPv6:2001:9b0:1:1702::100]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EA9CD1A00BE for <saag@ietf.org>; Thu, 13 Aug 2015 07:24:39 -0700 (PDT)
Received: from latte.josefsson.org ([155.4.17.3]) (authenticated bits=0) by duva.sjd.se (8.14.4/8.14.4/Debian-4) with ESMTP id t7DEO9ab010142 (version=TLSv1/SSLv3 cipher=AES128-GCM-SHA256 bits=128 verify=NOT); Thu, 13 Aug 2015 16:24:10 +0200
From: Simon Josefsson <simon@josefsson.org>
To: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
References: <559153E0.5050102@cs.tcd.ie> <55C932F6.7080203@cs.tcd.ie> <87y4hg9lnt.fsf@latte.josefsson.org> <CAJU7za+GW8HWCuTzG7YuV2k=pDFrkkGxaxQ9h+=Q6xG9NyQQ8A@mail.gmail.com> <CAHbuEH7peLvze9Wcphk5pSbCpGhdW3AsqtqaYSk=pomHNn9Mkg@mail.gmail.com>
OpenPGP: id=54265E8C; url=http://josefsson.org/54265e8c.txt
X-Hashcash: 1:22:150813:nmav@gnutls.org::uaUOiNID1N8iKK+s:2o3K
X-Hashcash: 1:22:150813:saag@ietf.org::wEBK3hnwF7VOoGhY:2u/5
X-Hashcash: 1:22:150813:kathleen.moriarty.ietf@gmail.com::BvMZM3/8/1MmKml/:VYeG
Date: Thu, 13 Aug 2015 16:24:08 +0200
In-Reply-To: <CAHbuEH7peLvze9Wcphk5pSbCpGhdW3AsqtqaYSk=pomHNn9Mkg@mail.gmail.com> (Kathleen Moriarty's message of "Thu, 13 Aug 2015 09:10:25 -0400")
Message-ID: <87a8tv8dx3.fsf@latte.josefsson.org>
User-Agent: Gnus/5.130014 (Ma Gnus v0.14) Emacs/24.4 (gnu/linux)
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
X-Virus-Scanned: clamav-milter 0.98.7 at duva.sjd.se
X-Virus-Status: Clean
Archived-At: <http://mailarchive.ietf.org/arch/msg/saag/EODfYQ-96kmgzyN8xTzxeIxCeJ0>
Cc: "saag@ietf.org" <saag@ietf.org>
Subject: Re: [saag] AD sponsoring draft-josefsson-scrypt-kdf
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Aug 2015 14:24:43 -0000

Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> writes:

> On Thu, Aug 13, 2015 at 7:48 AM, Nikos Mavrogiannopoulos
> <nmav@gnutls.org> wrote:
>> On Thu, Aug 13, 2015 at 12:39 AM, Simon Josefsson <simon@josefsson.org> wrote:
>>> DES-based UNIX Crypt-function,
>>> FreeBSD MD5 crypt,
>>> GNU SHA-256/512 crypt
>>> Windows NT LAN Manager (NTLM) hash
>>> Blowfish-based bcrypt
>>
>> The latter was published in USENIX 1999:
>> https://www.usenix.org/legacy/event/usenix99/provos/provos.pdf
>>
>>> As far as I know, Salsa20 was not published at any conference or
>>> journal, so there may not be any better references.
>>
>> Salsa20 was an official submission to estream competition, so the
>> authoritative reference is the design articles at:
>> http://www.ecrypt.eu.org/stream/salsa20pf.html (the "Salsa20
>> specification" and "Salsa20 design").
>
> I'd jut like to take a step back from the reference question to ask,
> why is salsa used as a hash when it was designed as a stream cipher?

This is a terminology issue.  'Salsa20 core' or 'Salsa20 hash' is
explained here:

http://cr.yp.to/salsa20.html

Salsa20 core is a hash function, in its general sense, see:

https://en.wikipedia.org/wiki/Hash_function

In particular, Salsa20 core is NOT a cryptographic hash function.
Compare Salsa20 core to FNV or CRC or something similar, not to SHA-1.

Salsa20 the stream cipher is based on the Salsa20 core hash function.

Scrypt does not use Salsa20 the stream cipher.

Think of the Salsa20 hash function as similar to FNV hash.

This said, I'm not convinced the estream Salsa20 specification is the
most suitable reference to explain the Salsa20 core hash function.  The
eSTREAM site linked above only appear to publish a ZIP file with the
algorithm specification.  Is that a good reference?  However, perhaps we
can add it as an additional reference?  Then there is always the worry
about which is the "right" one in case of differences, but since the
draft includes test vectors I doubt there will be any confusion.

> Is there a reason Blake2 (derived from chacha) was not used instead?

1) Scrypt needs a (fast) mathematic hash function, not a cryptographic
hash.

2) Age; ChaCha and Scrypt were designed at the same time.

> Maybe there is a good reason and I'd be interested to have that
> background.

I hope this helps.

/Simon

v2.23.0 | Report a Bug | By Email